centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 14:28:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

scout: update cli to 1.18.4 (#23485)

Browse Source 
<!--Delete sections as needed -->

## Description

Updated scout cli to 1.18.4
- Got vendor'd content from upstream
- Created new placeholders in `content/reference/cli/docker/scout` for
new commands
- Updated release notes


https://deploy-preview-23485--docsdocker.netlify.app/reference/cli/docker/scout/

https://deploy-preview-23485--docsdocker.netlify.app/scout/release-notes/cli/

## Related issues or tickets

DHI-449

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Editorial review

Signed-off-by: Craig <craig.osterhout@docker.com>
This commit is contained in:
Craig Osterhout
2025-10-03 08:31:50 -07:00
committed by GitHub
parent f8bb4bb3bd
commit 7da1a15974
28 changed files with 728 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_vendor/github.com/docker/scout-cli/docs/docker_scout.yaml generated
View File

@@ -20,6 +20,7 @@ cname:
- docker scout recommendations
- docker scout repo
- docker scout version
- docker scout vex
- docker scout watch
clink:
- docker_scout_attestation.yaml
@@ -37,6 +38,7 @@ clink:
- docker_scout_recommendations.yaml
- docker_scout_repo.yaml
- docker_scout_version.yaml
- docker_scout_vex.yaml
- docker_scout_watch.yaml
options:
- option: debug

8
_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation.yaml generated
View File

@@ -1,13 +1,17 @@
command: docker scout attestation
aliases: docker scout attestation, docker scout attest
short: Manage attestations on image indexes
long: Manage attestations on image indexes
short: Manage attestations on images
long: Manage attestations on images
pname: docker scout
plink: docker_scout.yaml
cname:
- docker scout attestation add
- docker scout attestation get
- docker scout attestation list
clink:
- docker_scout_attestation_add.yaml
- docker_scout_attestation_get.yaml
- docker_scout_attestation_list.yaml
inherited_options:
- option: debug
value_type: bool

123
_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_get.yaml generated Normal file
View File

@@ -0,0 +1,123 @@
command: docker scout attestation get
aliases: docker scout attestation get, docker scout attest get
short: Get attestation for image
long: The docker scout attestation get command gets attestations for images.
usage: docker scout attestation get OPTIONS IMAGE [DIGEST]
pname: docker scout attestation
plink: docker_scout_attestation.yaml
options:
- option: key
value_type: string
default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub
description: Signature key to use for verification
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: org
value_type: string
description: Namespace of the Docker organization
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: output
shorthand: o
value_type: string
description: Write the report to a file
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: platform
value_type: string
description: Platform of image to analyze
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: predicate
value_type: bool
default_value: "false"
description: Get in-toto predicate only dropping the subject
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: predicate-type
value_type: string
description: Predicate-type for attestation
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: ref
value_type: string
description: |-
Reference to use if the provided tarball contains multiple references.
Can only be used with archive
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: skip-tlog
value_type: bool
default_value: "false"
description: Skip signature verification against public transaction log
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: verify
value_type: bool
default_value: "false"
description: Verify the signature on the attestation
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
inherited_options:
- option: debug
value_type: bool
default_value: "false"
description: Debug messages
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: verbose-debug
value_type: bool
default_value: "false"
description: Verbose debug
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
deprecated: false
experimental: false
experimentalcli: true
kubernetes: false
swarm: false

96
_vendor/github.com/docker/scout-cli/docs/docker_scout_attestation_list.yaml generated Normal file
View File

@@ -0,0 +1,96 @@
command: docker scout attestation list
aliases: docker scout attestation list, docker scout attest list
short: List attestations for image
long: The docker scout attestation list command lists attestations for images.
usage: docker scout attestation list OPTIONS IMAGE
pname: docker scout attestation
plink: docker_scout_attestation.yaml
options:
- option: format
value_type: string
default_value: list
description: |-
Output format:
- list: list of attestations of the image
- json: json representation of the attestation list (default "json")
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: org
value_type: string
description: Namespace of the Docker organization
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: output
shorthand: o
value_type: string
description: Write the report to a file
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: platform
value_type: string
description: Platform of image to analyze
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: predicate-type
value_type: string
description: Predicate-type for attestations
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: ref
value_type: string
description: |-
Reference to use if the provided tarball contains multiple references.
Can only be used with archive
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
inherited_options:
- option: debug
value_type: bool
default_value: "false"
description: Debug messages
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: verbose-debug
value_type: bool
default_value: "false"
description: Verbose debug
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
deprecated: false
experimental: false
experimentalcli: true
kubernetes: false
swarm: false

51
_vendor/github.com/docker/scout-cli/docs/docker_scout_compare.yaml generated
View File

@@ -95,6 +95,17 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
- option: ignore-suppressed
value_type: bool
default_value: "false"
description: |
Filter CVEs found in Scout exceptions based on the specified exception scope
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: ignore-unchanged
value_type: bool
default_value: "false"
@@ -177,6 +188,16 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
- option: only-vex-affected
value_type: bool
default_value: "false"
description: Filter CVEs by VEX statements with status not affected
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: org
value_type: string
description: Namespace of the Docker organization
@@ -264,6 +285,36 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
- option: vex
value_type: bool
default_value: "false"
description: Apply VEX statements to filter CVEs
deprecated: true
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: vex-author
value_type: stringSlice
default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: vex-location
value_type: stringSlice
default_value: '[]'
description: File location of directory or file containing VEX statements
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
inherited_options:
- option: debug
value_type: bool

2
_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml generated
View File

@@ -359,7 +359,7 @@ options:
swarm: false
- option: vex-author
value_type: stringSlice
default_value: '[]'
default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false

2
_vendor/github.com/docker/scout-cli/docs/docker_scout_quickview.yaml generated
View File

@@ -147,7 +147,7 @@ options:
swarm: false
- option: vex-author
value_type: stringSlice
default_value: '[]'
default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false

37
_vendor/github.com/docker/scout-cli/docs/docker_scout_vex.yaml generated Normal file
View File

@@ -0,0 +1,37 @@
command: docker scout vex
aliases: docker scout vex, docker scout vex
short: Manage VEX attestations on images
long: Manage VEX attestations on images
pname: docker scout
plink: docker_scout.yaml
cname:
- docker scout vex get
clink:
- docker_scout_vex_get.yaml
inherited_options:
- option: debug
value_type: bool
default_value: "false"
description: Debug messages
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: verbose-debug
value_type: bool
default_value: "false"
description: Verbose debug
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
deprecated: false
experimental: false
experimentalcli: true
kubernetes: false
swarm: false

103
_vendor/github.com/docker/scout-cli/docs/docker_scout_vex_get.yaml generated Normal file
View File

@@ -0,0 +1,103 @@
command: docker scout vex get
short: Get VEX attestation for image
long: The docker scout vex get command gets a VEX attestation for images.
usage: docker scout vex get OPTIONS IMAGE
pname: docker scout vex
plink: docker_scout_vex.yaml
options:
- option: key
value_type: string
default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub
description: Signature key to use for verification
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: org
value_type: string
description: Namespace of the Docker organization
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: output
shorthand: o
value_type: string
description: Write the report to a file
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: platform
value_type: string
description: Platform of image to analyze
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: ref
value_type: string
description: |-
Reference to use if the provided tarball contains multiple references.
Can only be used with archive
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: skip-tlog
value_type: bool
default_value: "false"
description: Skip signature verification against public transaction log
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: verify
value_type: bool
default_value: "false"
description: Verify the signature on the attestation
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
inherited_options:
- option: debug
value_type: bool
default_value: "false"
description: Debug messages
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: verbose-debug
value_type: bool
default_value: "false"
description: Verbose debug
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
deprecated: false
experimental: false
experimentalcli: true
kubernetes: false
swarm: false

30
_vendor/github.com/docker/scout-cli/docs/docker_scout_watch.yaml generated
View File

@@ -1,9 +1,8 @@
command: docker scout watch
short: |
Watch repositories in a registry and push images and indexes to Docker Scout (experimental)
long: |-
The `docker scout watch` command watches repositories in a registry
and pushes images or analysis results to Docker Scout.
long: |
The docker scout watch command watches repositories in a registry and pushes images or image indexes to Docker Scout.
usage: docker scout watch
pname: docker scout
plink: docker_scout.yaml
@@ -129,30 +128,7 @@ inherited_options:
experimentalcli: false
kubernetes: false
swarm: false
examples: |-
### Watch for new images from two repositories and push them
```console
$ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2
```
### Only push images with a specific tag
```console
$ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest
```
### Watch all repositories of a registry
```console
$ docker scout watch --org my-org --registry registry.example.com
```
### Push all images and not just the new ones
```console
$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images
```
examples: " Watch for new images from two repositories and push them\n $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2\e[0m\n\n Only push images with a specific tag\n $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest\e[0m\n\n Watch all repositories of a registry\n $ docker scout watch --org my-org --registry registry.example.com\e[0m\n\n Push all images and not just the new ones\n $ docker scout watch --org my-org --repository registry.example.com/my-service --all-images\e[0m"
deprecated: false
experimental: false
experimentalcli: true

3
_vendor/github.com/docker/scout-cli/docs/scout.md generated
View File

@@ -11,7 +11,7 @@ Command line tool for Docker Scout
| Name | Description |
|:--------------------------------------------------------------|:--------------------------------------------------------------------------------------------|
| [`attestation`](scout_attestation.md) | Manage attestations on image indexes |
| [`attestation`](scout_attestation.md) | Manage attestations on images |
| [`cache`](scout_cache.md) | Manage Docker Scout cache and temporary files |
| [`compare`](scout_compare.md) | Compare two images and display differences (experimental) |
| [`config`](scout_config.md) | Manage Docker Scout configuration |
@@ -29,6 +29,7 @@ Command line tool for Docker Scout
| [`sbom`](scout_sbom.md) | Generate or display SBOM of an image |
| [`stream`](scout_stream.md) | Manage streams (experimental) |
| [`version`](scout_version.md) | Show Docker Scout version information |
| [`vex`](scout_vex.md) | Manage VEX attestations on images |
| [`watch`](scout_watch.md) | Watch repositories in a registry and push images and indexes to Docker Scout (experimental) |

10
_vendor/github.com/docker/scout-cli/docs/scout_attestation.md generated
View File

@@ -1,7 +1,7 @@
# docker scout attestation
<!---MARKER_GEN_START-->
Manage attestations on image indexes
Manage attestations on images
### Aliases
@@ -9,9 +9,11 @@ Manage attestations on image indexes
### Subcommands
| Name | Description |
|:----------------------------------|:-------------------------|
| [`add`](scout_attestation_add.md) | Add attestation to image |
| Name | Description |
|:------------------------------------|:----------------------------|
| [`add`](scout_attestation_add.md) | Add attestation to image |
| [`get`](scout_attestation_get.md) | Get attestation for image |
| [`list`](scout_attestation_list.md) | List attestations for image |

26
_vendor/github.com/docker/scout-cli/docs/scout_attestation_get.md generated Normal file
View File

@@ -0,0 +1,26 @@
# docker scout attestation get
<!---MARKER_GEN_START-->
Get attestation for image
### Aliases
`docker scout attestation get`, `docker scout attest get`
### Options
| Name | Type | Default | Description |
|:-------------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------|
| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--predicate` | | | Get in-toto predicate only dropping the subject |
| `--predicate-type` | `string` | | Predicate-type for attestation |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--skip-tlog` | | | Skip signature verification against public transaction log |
| `--verify` | | | Verify the signature on the attestation |
<!---MARKER_GEN_END-->

23
_vendor/github.com/docker/scout-cli/docs/scout_attestation_list.md generated Normal file
View File

@@ -0,0 +1,23 @@
# docker scout attestation list
<!---MARKER_GEN_START-->
List attestations for image
### Aliases
`docker scout attestation list`, `docker scout attest list`
### Options
| Name | Type | Default | Description |
|:-------------------|:---------|:--------|:------------------------------------------------------------------------------------------------------------------------------------|
| `--format` | `string` | `list` | Output format:<br>- list: list of attestations of the image<br>- json: json representation of the attestation list (default "json") |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--predicate-type` | `string` | | Predicate-type for attestations |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
<!---MARKER_GEN_END-->

48
_vendor/github.com/docker/scout-cli/docs/scout_compare.md generated
View File

@@ -9,28 +9,32 @@ Compare two images and display differences (experimental)
### Options
| Name | Type | Default | Description |
|:----------------------|:--------------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package |
| `--format` | `string` | `text` | Output format of the generated vulnerability report:<br>- text: default output, plain text with or without colors depending on the terminal<br>- markdown: Markdown output<br> |
| `--hide-policies` | | | Hide policy status from the output |
| `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--ignore-unchanged` | | | Filter out unchanged packages |
| `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-fixed` | | | Filter to fixable CVEs |
| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
| `--only-unfixed` | | | Filter to unfixed CVEs |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--to` | `string` | | Image, directory, or archive to compare to |
| `--to-env` | `string` | | Name of environment to compare to |
| `--to-latest` | | | Latest image processed to compare to |
| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive. |
| Name | Type | Default | Description |
|:----------------------|:--------------|:--------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package |
| `--format` | `string` | `text` | Output format of the generated vulnerability report:<br>- text: default output, plain text with or without colors depending on the terminal<br>- markdown: Markdown output<br> |
| `--hide-policies` | | | Hide policy status from the output |
| `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
| `--ignore-unchanged` | | | Filter out unchanged packages |
| `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-fixed` | | | Filter to fixable CVEs |
| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
| `--only-unfixed` | | | Filter to unfixed CVEs |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--to` | `string` | | Image, directory, or archive to compare to |
| `--to-env` | `string` | | Name of environment to compare to |
| `--to-latest` | | | Latest image processed to compare to |
| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive. |
| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
<!---MARKER_GEN_END-->

62
_vendor/github.com/docker/scout-cli/docs/scout_cves.md generated
View File

@@ -9,37 +9,37 @@ Display CVEs identified in a software artifact
### Options
| Name | Type | Default | Description |
|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--details` | | | Print details on default text output |
| `--env` | `string` | | Name of environment |
| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
| `--format` | `string` | `packages` | Output format of the generated vulnerability report:<br>- packages: default output, plain text with vulnerabilities grouped by packages<br>- sarif: json Sarif output<br>- spdx: json SPDX output<br>- gitlab: json GitLab output<br>- markdown: markdown output (including some html tags like collapsible sections)<br>- sbom: json SBOM output<br> |
| `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
| `--locations` | | | Print package locations including file paths and layer diff_id |
| `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-base` | | | Only show CVEs introduced by the base image |
| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
| `--only-fixed` | | | Filter to fixable CVEs |
| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
| `--only-unfixed` | | | Filter to unfixed CVEs |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
| Name | Type | Default | Description |
|:-----------------------|:--------------|:--------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `--details` | | | Print details on default text output |
| `--env` | `string` | | Name of environment |
| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
| `--format` | `string` | `packages` | Output format of the generated vulnerability report:<br>- packages: default output, plain text with vulnerabilities grouped by packages<br>- sarif: json Sarif output<br>- spdx: json SPDX output<br>- gitlab: json GitLab output<br>- markdown: markdown output (including some html tags like collapsible sections)<br>- sbom: json SBOM output<br> |
| `--ignore-base` | | | Filter out CVEs introduced from base image |
| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
| `--locations` | | | Print package locations including file paths and layer diff_id |
| `--multi-stage` | | | Show packages from multi-stage Docker builds |
| `--only-base` | | | Only show CVEs introduced by the base image |
| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
| `--only-fixed` | | | Filter to fixable CVEs |
| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
| `--only-unfixed` | | | Filter to unfixed CVEs |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
<!---MARKER_GEN_END-->

26
_vendor/github.com/docker/scout-cli/docs/scout_quickview.md generated
View File

@@ -9,19 +9,19 @@ Quick overview of an image
### Options
| Name | Type | Default | Description |
|:----------------------|:--------------|:--------|:--------------------------------------------------------------------------------------------------------|
| `--env` | `string` | | Name of the environment |
| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
| `--latest` | | | Latest indexed image |
| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
| Name | Type | Default | Description |
|:----------------------|:--------------|:--------------------|:--------------------------------------------------------------------------------------------------------|
| `--env` | `string` | | Name of the environment |
| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
| `--latest` | | | Latest indexed image |
| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
<!---MARKER_GEN_END-->

19
_vendor/github.com/docker/scout-cli/docs/scout_vex.md generated Normal file
View File

@@ -0,0 +1,19 @@
# docker scout vex
<!---MARKER_GEN_START-->
Manage VEX attestations on images
### Aliases
`docker scout vex`, `docker scout vex`
### Subcommands
| Name | Description |
|:--------------------------|:------------------------------|
| [`get`](scout_vex_get.md) | Get VEX attestation for image |
<!---MARKER_GEN_END-->

20
_vendor/github.com/docker/scout-cli/docs/scout_vex_get.md generated Normal file
View File

@@ -0,0 +1,20 @@
# docker scout vex get
<!---MARKER_GEN_START-->
Get VEX attestation for image
### Options
| Name | Type | Default | Description |
|:-----------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------|
| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification |
| `--org` | `string` | | Namespace of the Docker organization |
| `-o`, `--output` | `string` | | Write the report to a file |
| `--platform` | `string` | | Platform of image to analyze |
| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.<br>Can only be used with archive |
| `--skip-tlog` | | | Skip signature verification against public transaction log |
| `--verify` | | | Verify the signature on the attestation |
<!---MARKER_GEN_END-->

71
_vendor/github.com/docker/scout-cli/docs/scout_watch.md generated
View File

@@ -49,5 +49,74 @@ $ docker scout watch --org my-org --registry registry.example.com
### Push all images and not just the new ones
```console
$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images
$ docker scout watch --org my-org --repository registry.example.com/my-service --all-images
```
### Configure Artifactory integration
The following example creates a web hook endpoint for Artifactory to push new
image events into:
```console
$ export DOCKER_SCOUT_ARTIFACTORY_API_USER=user
$ export DOCKER_SCOUT_ARTIFACTORY_API_PASSWORD=password
$ export DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET=foo
$ docker scout watch --registry "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" --refresh-registry
```
This will launch an HTTP server on port `9000` that will receive all `component` web
hook events, optionally validating the HMAC signature.
### Configure Harbor integration
The following example creates a web hook endpoint for Harbor to push new image
events into:
```console
$ export DOCKER_SCOUT_HARBOR_API_USER=admin
$ export DOCKER_SCOUT_HARBOR_API_PASSWORD=password
$ export DOCKER_SCOUT_HARBOR_WEBHOOK_AUTH="token foo"
$ docker scout watch --registry 'type=harbor,registry=demo.goharbor.io,api=https://demo.goharbor.io,include=*/foo/*,exclude=*/bar/*,port=9000' --refresh-registry
```
This will launch an HTTP server on port `9000` that will receive all `component` web
hook events, optionally validating the HMAC signature.
### Configure Nexus integration
The following example shows how to configure Sonartype Nexus integration:
```console
$ export DOCKER_SCOUT_NEXUS_API_USER=admin
$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124
$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2"' --refresh-registry
```
This ingests all images and tags in Nexus repositories called `docker-test1`
and `docker-test2` that match the `*/foo/*` include and `*/bar/*` exclude glob
pattern.
You can also create a web hook endpoint for Nexus to push new image events into:
```console
$ export DOCKER_SCOUT_NEXUS_API_USER=admin
$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124
$ export DOCKER_SCOUT_NEXUS_WEBHOOK_SECRET=mysecret
$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2",port=9000' --refresh-registry
```
This will launch an HTTP server on port `9000` that will receive all `component` web
hook events, optionally validating the HMAC signature.
## Configure integration for other OCI registries
The following example shows how to integrate an OCI registry that implements the
`_catalog` endpoint:
```console
$ docker scout watch --registry 'type=oci,registry=registry.example.com,include=*/scout-artifact-registry/*'
```

2
_vendor/modules.txt
View File

@@ -5,4 +5,4 @@
# github.com/docker/compose/v2 v2.40.0
# github.com/docker/model-cli v0.1.41
# github.com/docker/mcp-gateway v0.13.1-0.20250730013131-e08a3be84765
# github.com/docker/scout-cli v1.18.1
# github.com/docker/scout-cli v1.18.4

8
content/manuals/scout/release-notes/cli.md
View File

@@ -9,6 +9,14 @@ This page contains information about the new features, improvements, known
issues, and bug fixes in the Docker Scout [CLI plugin](https://github.com/docker/scout-cli/)
and the `docker/scout-action` [GitHub Action](https://github.com/docker/scout-action).
## 1.18.4
{{< release-date date="2025-10-02" >}}
### Bug fixes
- VEX and SPDX fixes.
## 1.18.3
{{< release-date date="2025-08-13" >}}

14
content/reference/cli/docker/scout/attestation/get.md Normal file
View File

@@ -0,0 +1,14 @@
---
datafolder: scout-cli
datafile: docker_scout_attestation_get
title: docker scout attestation get
layout: cli
---
<!--
This page is automatically generated from Docker's source code. If you want to
suggest a change to the text that appears here, open a ticket in the source
repository on GitHub:
https://github.com/docker/scout-cli
-->

14
content/reference/cli/docker/scout/attestation/list.md Normal file
View File

@@ -0,0 +1,14 @@
---
datafolder: scout-cli
datafile: docker_scout_attestation_list
title: docker scout attestation list
layout: cli
---
<!--
This page is automatically generated from Docker's source code. If you want to
suggest a change to the text that appears here, open a ticket in the source
repository on GitHub:
https://github.com/docker/scout-cli
-->

14
content/reference/cli/docker/scout/vex/_index.md Normal file
View File

@@ -0,0 +1,14 @@
---
datafolder: scout-cli
datafile: docker_scout_vex
title: docker scout vex
layout: cli
---
<!--
This page is automatically generated from Docker's source code. If you want to
suggest a change to the text that appears here, open a ticket in the source
repository on GitHub:
https://github.com/docker/scout-cli
-->

14
content/reference/cli/docker/scout/vex/get.md Normal file
View File

@@ -0,0 +1,14 @@
---
datafolder: scout-cli
datafile: docker_scout_vex_get
title: docker scout vex get
layout: cli
---
<!--
This page is automatically generated from Docker's source code. If you want to
suggest a change to the text that appears here, open a ticket in the source
repository on GitHub:
https://github.com/docker/scout-cli
-->

4
go.mod
View File

@@ -27,7 +27,7 @@ require (
github.com/docker/model-cli v0.1.41 // indirect
github.com/docker/model-distribution v0.0.0-20250918153037-7d9fc7b72b57 // indirect
github.com/docker/model-runner v0.0.0-20250911130340-38bb0171c947 // indirect
github.com/docker/scout-cli v1.18.1 // indirect
github.com/docker/scout-cli v1.18.4 // indirect
github.com/elastic/go-sysinfo v1.15.3 // indirect
github.com/elastic/go-windows v1.0.2 // indirect
github.com/fatih/color v1.18.0 // indirect
@@ -114,7 +114,7 @@ replace (
github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.39.4
github.com/docker/docker => github.com/docker/docker v28.4.0+incompatible
github.com/docker/model-cli => github.com/docker/model-cli v0.1.41
github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.1
github.com/docker/scout-cli => github.com/docker/scout-cli v1.18.4
github.com/moby/buildkit => github.com/moby/buildkit v0.25.0
github.com/moby/moby => github.com/moby/moby v28.4.0+incompatible
)

2
go.sum
View File

@@ -144,6 +144,8 @@ github.com/docker/scout-cli v1.15.0 h1:VhA9niVftEyZ9f5KGwKnrSfQOp2X3uIU3VbE/gTVM
github.com/docker/scout-cli v1.15.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.18.1 h1:snFodhV6xFJryxdUZ0ukPZFZZFnWAGLUuuPZGB3BOK8=
github.com/docker/scout-cli v1.18.1/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.18.4 h1:Td+SSA55WlD7gmrNaBe0imgfVzzQjlfb/prwBn9GOSw=
github.com/docker/scout-cli v1.18.4/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/elastic/go-sysinfo v1.15.3 h1:W+RnmhKFkqPTCRoFq2VCTmsT4p/fwpo+3gKNQsn1XU0=
github.com/elastic/go-sysinfo v1.15.3/go.mod h1:K/cNrqYTDrSoMh2oDkYEMS2+a72GRxMvNP+GC+vRIlo=
github.com/elastic/go-windows v1.0.2 h1:yoLLsAsV5cfg9FLhZ9EXZ2n2sQFKeDYrHenkcivY4vI=