Docker Scout Commands โ€” Part 1

Docker Scout Commands โ€” Part 1

ยท

6 min read

๐Ÿ‘‰ docker scout attest: The docker scout attest command is used to generate and store attestations for container images. Attestations are cryptographic statements that assert facts about a container image, such as the results of a security scan or compliance check.

$ docker scout attest <image> --output <file>

Explain

  • <image>: The name of the container image you want to create an attestation for.

  • --output <file>: Specifies the output file where the attestation will be stored.

Example

$ docker scout attest my-app:latest --output attestation.json

This command will analyze the specified container image and generate an attestation that includes details about the image, such as security vulnerabilities and compliance checks. The attestation is then saved in the specified file in JSON format.

The docker scout attest command may include additional options or flags to customize the attestation process. For the most up-to-date and detailed information about available options, it's recommended to refer to the Docker Scout documentation or use the --help flag:

$ docker scout attest --help

๐Ÿ‘‰ docker scout attestation add: The docker scout attestation add command is used to add an attestation to a container image.

Example:

To add a vulnerability scan attestation to an image named my-app:latest:

Create a predicate file (e.g., vuln-scan.json):

{
  "scanResults": {
    "vulnerabilities": [
      {
        "id": "CVE-2021-1234",
        "severity": "HIGH",
        "description": "Example vulnerability"
      }
    ]
  }
}

Run the attestation add command:

$ docker scout attestation add my-app:latest --attestor user@example.com --predicate-type vuln --predicate-path vuln-scan.json
  • docker scout attestation add: Initiates the process to add an attestation to a specified Docker image.

  • my-app:latest: The name and tag of the Docker image to which the attestation is being added.

  • --attestor user@example.com: The entity that is attesting to the information. This could be an email address or another identifier for the entity.

  • --predicate-type vuln: Specifies that the type of attestation being added is related to vulnerabilities.

  • --predicate-path vuln-scan.json: The path to the file containing the predicate data (in this case, the results of a vulnerability scan).

Options:

--file: File location of attestations to attach

--predicate-type: Predicate-type for attestations

๐Ÿ‘‰docker scout cache: The docker scout cache command is used to manage the local cache that Docker Scout uses to store data about images and their analysis. This can be useful for improving performance and ensuring that Docker Scout has up-to-date information.

Subcommands:

docker scout cache list: This command lists the current contents of the cache, providing information about what data is stored locally.

$ docker scout cache list

docker scout cache clean: This command is used to clear the cache. It removes all cached data, which can be useful if you want to ensure that Docker Scout re-fetches all information for images.

$ docker scout cache clean

docker scout cache df:The docker scout cache df command is used to display information about the disk usage of the Docker Scout cache. This command provides an overview of how much disk space is being used by the cached data that Docker Scout stores locally.

Docker Scout uses a temporary cache storage for generating image SBOMs. The cache helps avoid regenerating or fetching resources unnecessarily.

This docker scout cache df command shows the cached data on the host. Each cache entry is identified by the digest of the image.

Examples:

List temporary and cache files

$ docker scout cache df

Docker Scout temporary directory to generate SBOMs is located at:
   /var/folders/dw/d6h9w2sx6rv3lzwwgrnx7t5h0000gp/T/docker-scout
   this path can be configured using the DOCKER_SCOUT_CACHE_DIR environment variable


                               Image Digest                               โ”‚ Size
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  sha256:c41ab5c992deb4fe7e5da09f67a8804a46bd0592bfdf0b1847dde0e0889d2bff โ”‚ 21 kB

Total: 21 kB


Docker Scout cached SBOMs are located at:
   /Users/user/.docker/scout/sbom

                           Image Digest                               โ”‚ Size of SBOM
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
  sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11 โ”‚ 42 kB
  sha256:03fc002fe4f370463a8f04d3a288cdffa861e462fc8b5be44ab62b296ad95183 โ”‚ 100 kB
  sha256:088134dd33e4a2997480a1488a41c11abebda465da5cf7f305a0ecf8ed494329 โ”‚ 194 kB
  sha256:0b80b2f17aff7ee5bfb135c69d0d6fe34070e89042b7aac73d1abcc79cfe6759 โ”‚ 852 kB
  sha256:0c9e8abe31a5f17d84d5c85d3853d2f948a4f126421e89e68753591f1b6fedc5 โ”‚ 930 kB
  sha256:0d49cae0723c8d310e413736b5e91e0c59b605ade2546f6e6ef8f1f3ddc76066 โ”‚ 510 kB
  sha256:0ef04748d071c2e631bb3edce8f805cb5512e746b682c83fdae6d8c0b243280b โ”‚ 1.0 MB
  sha256:13fd22925b638bb7d2131914bb8f8b0f5f582bee364aec682d9e7fe722bb486a โ”‚ 42 kB
  sha256:174c41d4fbc7f63e1f2bb7d2f7837318050406f2f27e5073a84a84f18b48b883 โ”‚ 115 kB

Total: 4 MB

docker scout cache prune: The docker scout cache prune command removes temporary data and SBOM cache.

By default, docker scout cache prune only deletes temporary data. To delete temporary data and clear the SBOM cache, use the --sboms flag.

Examples:

Delete temporary data

$ docker scout cache prune
? Are you sure to delete all temporary data? Yes
    โœ“ temporary data deleted

Delete temporary and cache data

$ docker scout cache prune --sboms
? Are you sure to delete all temporary data and all cached SBOMs? Yes
    โœ“ temporary data deleted
    โœ“ cached SBOMs deleted

๐Ÿ‘‰ docker scout compare: The docker scout compare command is used to compare the contents and security attributes of two container images. This can help identify differences in vulnerabilities, software dependencies, and other aspects between the images.

The docker scout compare command analyzes two images and displays a comparison.

The intended use of this command is to compare two versions of the same image. For instance, when a new image is built and compared to the version running in production.

If no image is specified, the most recently built image is used as a comparison target.

The following artifact types are supported:

  • Images

  • OCI layout directories

  • Tarball archives, as created by docker save

  • Local directory or file

By default, the tool expects an image reference, such as:

  • redis

  • curlimages/curl:7.87.0

  • mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

  • image:// (default) use a local image, or fall back to a registry lookup

  • local:// use an image from the local image store (don't do a registry lookup)

  • registry:// use an image from a registry (don't use a local image)

  • oci-dir:// use an OCI layout directory

  • archive:// use a tarball archive, as created by docker save

  • fs:// use a local directory or file

Examples:

To compare two container images named my-app:v1 and my-app:v2, you would use the following command:

$ docker scout compare my-app:v1 my-app:v2

This command will analyze both images and provide a comparison of their contents, including:

  • Differences in software vulnerabilities.

  • Variances in software dependencies.

  • Any other relevant security attributes or metadata.

Compare the most recently built image to the latest tag:

$ docker scout compare --to namespace/repo:latest

Compare local build to the same tag from the registry:

$ docker scout compare local://namespace/repo:latest --to registry://namespace/repo:latest

Generate a markdown output:

$ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre

Only compare maven packages and only display critical vulnerabilities for maven packages:

$ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre

Show all policy results for both images:

$ docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre

๐Ÿ‘‰ docker scout config: The docker scout config command allows you to view or modify Docker Scout configuration settings. These settings can include various parameters related to Docker Scout's behavior and functionality.

docker scout config allows you to list, get and set Docker Scout configuration.

List existing configuration:

$ docker scout config
organization=my-org-namespace

Available configuration key:

  • organization: Namespace of the Docker organization to be used by default.

Print configuration value:

$ docker scout config organization
my-org-namespace

Set configuration value:

$ docker scout config organization my-org-namespace
 โœ“ Successfully set organization to my-org-namespace

Did you find this article valuable?

Support Megha Sharma's Blog by becoming a sponsor. Any amount is appreciated!

ย