diff --git a/.github/vale/Vocab/Technology/accept.txt b/.github/vale/Vocab/Technology/accept.txt index e9fa7dd84f..167cf66e9c 100644 --- a/.github/vale/Vocab/Technology/accept.txt +++ b/.github/vale/Vocab/Technology/accept.txt @@ -1,3 +1,4 @@ +AGPLv3 APIs? ARM AWS @@ -25,6 +26,7 @@ Fargate Fedora Flink GPG +GPLv3 GRUB GeoNetwork Git diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md index 775af3f068..f0d3ad7498 100644 --- a/content/scout/policy/_index.md +++ b/content/scout/policy/_index.md @@ -60,7 +60,8 @@ Docker Scout ships the following three out-of-the-box policies: - [Critical and high vulnerabilities with fixes](#critical-and-high-vulnerabilities-with-fixes) - [Critical vulnerabilities](#critical-vulnerabilities) -- [Packages with GPL3+ licenses](#packages-with-gpl3-licenses) +- [Packages with AGPLv3, GPLv3 licenses](#packages-with-agplv3-gplv3-licenses) +- [Base images not up-to-date](#base-images-not-up-to-date) These policies are turned on by default for Scout-enabled repositories. There's currently no way to turn off or configure these policies. @@ -90,10 +91,37 @@ more critical vulnerabilities. This policy flags all critical vulnerabilities, whether or not there's a fix version available. -### Packages with GPL3+ licenses +### Packages with AGPLv3, GPLv3 licenses This policy requires that your artifacts don't contain packages distributed -under a GPL3+ [copyleft](https://en.wikipedia.org/wiki/Copyleft) license. +under an AGPLv3 or GPLv3 license. These licenses are protective +[copyleft](https://en.wikipedia.org/wiki/Copyleft), and may be unsuitable for +use in your software because of the restrictions they enforce. This policy is unfulfilled if your artifacts contain one or more packages with a violating license. + +### Base images not up-to-date + +This policy requires that the base images you use are up-to-date. + +It's unfulfilled when the tag you used to build your image points to a +different digest than what you're using. If there's a mismatch in digests, that +means the base image you're using is out of date. + +#### No base image data + +There are cases when it's not possible to determine whether or not the base +image is up-to-date. In such cases, the **Base images not up-to-date** policy +gets flagged as having **No data**. + +This occurs when: + +- Docker Scout doesn't know what base image tag you used +- The base image version you used has multiple tags, but not all tags are out + of date + +To make sure that Docker Scout always knows about your base image, you can +attach [provenance attestations](../../build/attestations/slsa-provenance.md) +at build-time. Docker Scout uses provenance attestations to find out the base +image version. diff --git a/content/scout/policy/view.md b/content/scout/policy/view.md index 60eb217ae1..f604438909 100644 --- a/content/scout/policy/view.md +++ b/content/scout/policy/view.md @@ -72,9 +72,9 @@ version that removes the vulnerability, when a fix version is available. To fix the issue, upgrade the package version to the fix version. For licensing-related policies, the list shows all packages whose license -doesn't meet the policy criteria. To fix the issue, look for an alternative -package distributed under a more appropriate license, or cut the dependency by -reimplementing the functionality in your own code. +doesn't meet the policy criteria. To fix the issue, find a way to remove the +dependency to the violating package, for example by looking for an alternative +package distributed under a more appropriate license. ## CLI diff --git a/data/redirects.yml b/data/redirects.yml index 34f782f56b..cec6253389 100644 --- a/data/redirects.yml +++ b/data/redirects.yml @@ -578,6 +578,8 @@ - /go/scout-quickstart/ "/scout/ci/": - /go/scout-ci/ +"/scout/policy/": + - /go/scout-policy/ # integrations "/scout/integrations/ci/gha/": - "/go/scout-gha/"