centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-04-12 06:19:22 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
45e5838f13346e4e2d5ee4969ffb95352ea51363
docker-docs/_data/scout-cli/docker_scout_cves.yaml
Yves Brissaud df7dfffa24 scout: update cli documentation 
Signed-off-by: Yves Brissaud <yves.brissaud@docker.com>
2023-03-24 19:52:17 +01:00

226 lines
6.3 KiB
YAML
Raw Blame History

command: docker scout cves
short: Display CVEs identified in a software artifact
long: |-
The `docker scout cves` command analyzes a software artifact for vulnerabilities.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by `docker save`
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
- `redis`
- `curlimages/curl:7.87.0`
- `mcr.microsoft.com/dotnet/runtime:7.0`
If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the `--type` flag.
usage: docker scout cves [OPTIONS] IMAGE|DIRECTORY|ARCHIVE
pname: docker scout
plink: docker_scout.yaml
options:
- option: debug
value_type: bool
default_value: "false"
description: Debug messages
deprecated: false
hidden: true
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: details
value_type: bool
default_value: "false"
description: Print details on default text output
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: exit-code
shorthand: e
value_type: bool
default_value: "false"
description: Return exit code '2' if vulnerabilities are detected
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: format
value_type: string
default_value: packages
description: |-
Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: ignore-base
value_type: bool
default_value: "false"
description: Filter out CVEs introduced from base image
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: only-cve-id
value_type: stringSlice
default_value: '[]'
description: |
Comma separated list of CVE ids (like CVE-2021-45105) to search for
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: only-fixed
value_type: bool
default_value: "false"
description: Filter to fixable CVEs
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: only-package-type
value_type: stringSlice
default_value: '[]'
description: |
Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: only-severity
value_type: stringSlice
default_value: '[]'
description: |
Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: only-unfixed
value_type: bool
default_value: "false"
description: Filter to unfixed CVEs
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: output
shorthand: o
value_type: string
description: Write the report to a file.
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: platform
value_type: string
description: Platform of image to analyze
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: ref
value_type: string
description: |-
Reference to use if the provided tarball contains multiple references.
Can only be used with --type archive.
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
- option: type
value_type: string
default_value: image
description: |-
Type of the image to analyze. Can be one of:
- image
- oci-dir
- archive (docker save tarball)
deprecated: false
hidden: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
examples: |-
### Display vulnerabilities grouped by package
```console
$ docker scout cves alpine
Analyzing image alpine
✓ Image stored for indexing
✓ Indexed 18 packages
✓ No vulnerable package detected
```
### Display vulnerabilities from a `docker save` tarball
```console
$ docker save alpine > alpine.tar
$ docker scout cves --type archive alpine.tar
Analyzing archive alpine.tar
✓ Archive read
✓ SBOM of image already cached, 18 packages indexed
✓ No vulnerable package detected
```
### Display vulnerabilities from an OCI directory
```console
$ skopeo copy --override-os linux docker://alpine oci:alpine
$ docker scout cves --type oci-dir alpine
Analyzing OCI directory alpine
✓ OCI directory read
✓ Image stored for indexing
✓ Indexed 19 packages
✓ No vulnerable package detected
```
### Export vulnerabilities to a SARIF JSON file
```console
$ docker scout cves --format sarif --output alpine.sarif.json alpine
Analyzing image alpine
✓ SBOM of image already cached, 18 packages indexed
✓ No vulnerable package detected
✓ Report written to alpine.sarif.json
```
deprecated: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false
Reference in New Issue View Git Blame Copy Permalink