diff --git a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml
index dd1637ade6..f202f668e7 100644
--- a/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml
+++ b/_vendor/github.com/docker/scout-cli/docs/docker_scout_cves.yaml
@@ -105,6 +105,7 @@ options:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
+ - gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
deprecated: false
diff --git a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md
index b8f119d8a9..8f1618ad42 100644
--- a/_vendor/github.com/docker/scout-cli/docs/scout_cves.md
+++ b/_vendor/github.com/docker/scout-cli/docs/scout_cves.md
@@ -9,34 +9,34 @@ Display CVEs identified in a software artifact
### Options
-| Name | Type | Default | Description |
-|:-----------------------|:--------------|:-----------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `--details` | | | Print details on default text output |
-| `--env` | `string` | | Name of environment |
-| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
-| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
-| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
-| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
-| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
|
-| `--ignore-base` | | | Filter out CVEs introduced from base image |
-| `--locations` | | | Print package locations including file paths and layer diff_id |
-| `--multi-stage` | | | Show packages from multi-stage Docker builds |
-| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
-| `--only-fixed` | | | Filter to fixable CVEs |
-| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
-| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
-| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
-| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
-| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
-| `--only-unfixed` | | | Filter to unfixed CVEs |
-| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
-| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
-| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
+| Name | Type | Default | Description |
+|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--details` | | | Print details on default text output |
+| `--env` | `string` | | Name of environment |
+| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
+| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
+| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
+| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
+| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
|
+| `--ignore-base` | | | Filter out CVEs introduced from base image |
+| `--locations` | | | Print package locations including file paths and layer diff_id |
+| `--multi-stage` | | | Show packages from multi-stage Docker builds |
+| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
+| `--only-fixed` | | | Filter to fixable CVEs |
+| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
+| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
+| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
+| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
+| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
+| `--only-unfixed` | | | Filter to unfixed CVEs |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/_vendor/modules.txt b/_vendor/modules.txt
index 49b821d70e..54c2ad7cb0 100644
--- a/_vendor/modules.txt
+++ b/_vendor/modules.txt
@@ -3,4 +3,4 @@
# github.com/docker/buildx v0.14.1
# github.com/docker/cli v26.1.3+incompatible
# github.com/docker/compose/v2 v2.27.0
-# github.com/docker/scout-cli v1.8.0
+# github.com/docker/scout-cli v1.9.3
diff --git a/go.mod b/go.mod
index 64ad68a6cf..34b3126ae7 100644
--- a/go.mod
+++ b/go.mod
@@ -8,7 +8,7 @@ require (
github.com/docker/buildx v0.14.1 // indirect
github.com/docker/cli v26.1.3+incompatible // indirect
github.com/docker/compose/v2 v2.27.0 // indirect
- github.com/docker/scout-cli v1.8.0 // indirect
+ github.com/docker/scout-cli v1.9.3 // indirect
github.com/moby/buildkit v0.13.1 // indirect
github.com/moby/moby v26.1.2+incompatible // indirect
)
@@ -17,7 +17,7 @@ replace (
github.com/docker/buildx => github.com/docker/buildx v0.14.1
github.com/docker/cli => github.com/docker/cli v26.1.3-0.20240513184838-60f2d38d5341+incompatible
github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.27.0
- github.com/docker/scout-cli => github.com/docker/scout-cli v1.8.0
+ github.com/docker/scout-cli => github.com/docker/scout-cli v1.9.3
github.com/moby/buildkit => github.com/moby/buildkit v0.13.0-rc3.0.20240424175633-5fce077ed0e0
github.com/moby/moby => github.com/moby/moby v26.1.2+incompatible
)
diff --git a/go.sum b/go.sum
index 5cf82dea1b..883dd0bd7e 100644
--- a/go.sum
+++ b/go.sum
@@ -176,6 +176,8 @@ github.com/docker/scout-cli v1.7.0 h1:2dEbQKqkxM6wsJab/Ma3EJacS9ZrkVs1C4KbjXggJj
github.com/docker/scout-cli v1.7.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/docker/scout-cli v1.8.0 h1:rxwU9Xzt1LhqSY37ZVe/GPRCQxrEaQNipOMpCrUdGns=
github.com/docker/scout-cli v1.8.0/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
+github.com/docker/scout-cli v1.9.3 h1:u3lKQ7A1EvT3qNe5lR2c8dTNcAGIoSmH8HvSYarLlJY=
+github.com/docker/scout-cli v1.9.3/go.mod h1:Eo1RyCJsx3ldz/YTY5yGxu9g9mwTYbRUutxQUkow3Fc=
github.com/elazarl/goproxy v0.0.0-20191011121108-aa519ddbe484/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=