mirror of
https://github.com/docker/docs.git
synced 2026-03-27 06:18:55 +07:00
7da1a15974
<!--Delete sections as needed --> ## Description Updated scout cli to 1.18.4 - Got vendor'd content from upstream - Created new placeholders in `content/reference/cli/docker/scout` for new commands - Updated release notes https://deploy-preview-23485--docsdocker.netlify.app/reference/cli/docker/scout/ https://deploy-preview-23485--docsdocker.netlify.app/scout/release-notes/cli/ ## Related issues or tickets DHI-449 ## Reviews <!-- Notes for reviewers here --> <!-- List applicable reviews (optionally @tag reviewers) --> - [ ] Editorial review Signed-off-by: Craig <craig.osterhout@docker.com>
8.6 KiB
8.6 KiB
docker scout compare
Compare two images and display differences (experimental)
Aliases
docker scout compare, docker scout diff
Options
| Name | Type | Default | Description |
|---|---|---|---|
-x, --exit-on |
stringSlice |
Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package | |
--format |
string |
text |
Output format of the generated vulnerability report: - text: default output, plain text with or without colors depending on the terminal - markdown: Markdown output |
--hide-policies |
Hide policy status from the output | ||
--ignore-base |
Filter out CVEs introduced from base image | ||
--ignore-suppressed |
Filter CVEs found in Scout exceptions based on the specified exception scope | ||
--ignore-unchanged |
Filter out unchanged packages | ||
--multi-stage |
Show packages from multi-stage Docker builds | ||
--only-fixed |
Filter to fixable CVEs | ||
--only-package-type |
stringSlice |
Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | |
--only-policy |
stringSlice |
Comma separated list of policies to evaluate | |
--only-severity |
stringSlice |
Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | |
--only-stage |
stringSlice |
Comma separated list of multi-stage Docker build stage names | |
--only-unfixed |
Filter to unfixed CVEs | ||
--only-vex-affected |
Filter CVEs by VEX statements with status not affected | ||
--org |
string |
Namespace of the Docker organization | |
-o, --output |
string |
Write the report to a file | |
--platform |
string |
Platform of image to analyze | |
--ref |
string |
Reference to use if the provided tarball contains multiple references. Can only be used with archive |
|
--to |
string |
Image, directory, or archive to compare to | |
--to-env |
string |
Name of environment to compare to | |
--to-latest |
Latest image processed to compare to | ||
--to-ref |
string |
Reference to use if the provided tarball contains multiple references. Can only be used with archive. |
|
--vex-author |
stringSlice |
[<.*@docker.com>] |
List of VEX statement authors to accept |
--vex-location |
stringSlice |
File location of directory or file containing VEX statements |
Description
The docker scout compare command analyzes two images and displays a comparison.
This command is experimental and its behaviour might change in the future
The intended use of this command is to compare two versions of the same image. For instance, when a new image is built and compared to the version running in production.
If no image is specified, the most recently built image is used as a comparison target.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by
docker save - Local directory or file
By default, the tool expects an image reference, such as:
rediscurlimages/curl:7.87.0mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:
image://(default) use a local image, or fall back to a registry lookuplocal://use an image from the local image store (don't do a registry lookup)registry://use an image from a registry (don't use a local image)oci-dir://use an OCI layout directoryarchive://use a tarball archive, as created bydocker savefs://use a local directory or filesbom://SPDX file or in-toto attestation file with SPDX predicate orsyftjson SBOM file
Examples
Compare the most recently built image to the latest tag
$ docker scout compare --to namespace/repo:latest
Compare local build to the same tag from the registry
$ docker scout compare local://namespace/repo:latest --to registry://namespace/repo:latest
Ignore base images
$ docker scout compare --ignore-base --to namespace/repo:latest namespace/repo:v1.2.3-pre
Generate a markdown output
$ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre
Only compare maven packages and only display critical vulnerabilities for maven packages
$ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre
Show all policy results for both images
docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre