Docker Scout Commands β€” Part 2

Docker Scout Commands β€” Part 2

Β·

6 min read

πŸ‘‰ docker scout cves: The docker scout cves command is used to display information about Common Vulnerabilities and Display CVEs identified in a software artifact. This command helps you understand the security vulnerabilities present in your images and provides details such as severity, description, and remediation steps.

The docker scout cves command analyzes a software artifact for vulnerabilities.

The following artifact types are supported:

  • Images

  • OCI layout directories

  • Tarball archives, as created by docker save

  • Local directory or file

By default, the tool expects an image reference, such as:

  • redis

  • curlimages/curl:7.87.0

  • mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

  • image:// (default) use a local image, or fall back to a registry lookup

  • local:// use an image from the local image store (don't do a registry lookup)

  • registry:// use an image from a registry (don't use a local image)

  • oci-dir:// use an OCI layout directory

  • archive:// use a tarball archive, as created by docker save

  • fs:// use a local directory or file

  • sbom:// SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file In case of sbom:// prefix, if the file is not defined then it will try to read it from the standard input.

Examples:

Display vulnerabilities grouped by package:

$ docker scout cves alpine

Output:

Analyzing image alpine
βœ“ Image stored for indexing
βœ“ Indexed 18 packages

Package: libxyz
  CVE-2022-12345  Severity: HIGH
  Description: Example vulnerability description.
  Fix available: Yes
  Link: https://example.com/CVE-2022-12345

Package: libabc
  CVE-2021-67890  Severity: MEDIUM
  Description: Another example vulnerability description.
  Fix available: No
  Link: https://example.com/CVE-2021-67890

If there are no vulnerabilities detected, the output will indicate that no vulnerable packages were found:

Analyzing image alpine
βœ“ Image stored for indexing
βœ“ Indexed 18 packages
βœ“ No vulnerable package detected

Display vulnerabilities from a docker save tarball:

$ docker save alpine > alpine.tar

$ docker scout cves archive://alpine.tar
Analyzing archive alpine.tar
βœ“ Archive read
βœ“ SBOM of image already cached, 18 packages indexed
βœ“ No vulnerable package detected

Display vulnerabilities from an OCI directory:

$ skopeo copy --override-os linux docker://alpine oci:alpine

$ docker scout cves oci-dir://alpine

Analyzing OCI directory alpineβœ“ OCI directory read
βœ“ Image stored for indexing
βœ“ Indexed 19 packages
βœ“ No vulnerable package detected

Display vulnerabilities from the current directory:

$ docker scout cves fs://.

Export vulnerabilities to a SARIF JSON file:

$ docker scout cves --format sarif --output alpine.sarif.json alpine

Analyzing image alpine
βœ“ SBOM of image already cached, 18 packages indexed
βœ“ No vulnerable package detected
βœ“ Report written to alpine.sarif.json

Display markdown output:

$ docker scout cves --format markdown alpine

βœ“ Pulled
βœ“ SBOM of image already cached, 19 packages indexed
βœ— Detected 1 vulnerable package with 3 vulnerabilities
<h2>:mag: Vulnerabilities of <code>alpine</code></h2>

<details open="true"><summary>:package: Image Reference</strong> <code>alpine</code></summary>
<table>
<tr><td>digest</td><td><code>sha256:e3bd82196e98898cae9fe7fbfd6e2436530485974dc4fb3b7ddb69134eda2407</code></td><tr><tr><td>vulnerabilities</td><td><img alt="critical: 0" src="https://img.shields.io/badge/critical-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/high-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/medium-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/low-0-lightgrey"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/unspecified-1-lightgrey"/></td></tr>
<tr><td>platform</td><td>linux/arm64</td></tr>
<tr><td>size</td><td>3.3 MB</td></tr>
<tr><td>packages</td><td>19</td></tr>
</table>
</details></table>
</details>
...

List all vulnerable packages of a certain type:

This example shows how to generate a list of packages, only including packages of the specified type, and only showing packages that are vulnerable.

$ docker scout cves --format only-packages --only-package-type golang --only-vuln-packages golang:1.18.0

βœ“ Pulled
βœ“ SBOM of image already cached, 296 packages indexed
βœ— Detected 1 vulnerable package with 40 vulnerabilities

Name   Version   Type         Vulnerabilities
───────────────────────────────────────────────────────────
stdlib  1.18     golang     2C    29H     8M     1L

Display EPSS score ( β€” epss):

The --epss flag adds Exploit Prediction Scoring System (EPSS) scores to the docker scout cves output. EPSS scores are estimates of the likelihood (probability) that a software vulnerability will be exploited in the wild in the next 30 days. The higher the score, the greater the probability that a vulnerability will be exploited.

$ docker scout cves --epss nginx

βœ“ Provenance obtained from attestation
βœ“ SBOM obtained from attestation, 232 packages indexed
βœ“ Pulled
βœ— Detected 23 vulnerable packages with a total of 39 vulnerabilities

...


 βœ— HIGH CVE-2023-52425
   https://scout.docker.com/v/CVE-2023-52425
   Affected range  : >=2.5.0-1
   Fixed version   : not fixed
   EPSS Score      : 0.000510
   EPSS Percentile : 0.173680
  • EPSS Score is a floating point number between 0 and 1 representing the probability of exploitation in the wild in the next 30 days (following score publication).

  • EPSS Percentile is the percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score.

You can use the --epss-score and --epss-percentile flags to filter the output of docker scout cves based on these scores. For example, to only show vulnerabilities with an EPSS score higher than 0.5:

$ docker scout cves --epss --epss-score 0.5 nginx

 βœ“ SBOM of image already cached, 232 packages indexed
 βœ“ EPSS scores for 2024-03-01 already cached
 βœ— Detected 1 vulnerable package with 1 vulnerability

...

 βœ— LOW CVE-2023-44487
   https://scout.docker.com/v/CVE-2023-44487
   Affected range  : >=1.22.1-9
   Fixed version   : not fixed
   EPSS Score      : 0.705850
   EPSS Percentile : 0.979410

EPSS scores are updated on a daily basis. By default, the latest available score is displayed. You can use the --epss-date flag to manually specify a date in the format yyyy-mm-dd for fetching EPSS scores.

$ docker scout cves --epss --epss-date 2024-01-02 nginx

List vulnerabilities from an SPDX file:

The following example shows how to generate a list of vulnerabilities from an SPDX file using syft.

$ syft -o spdx-json alpine:3.16.1 | docker scout cves sbom://
 βœ”Β” Pulled image
 βœ”Β” Loaded image                                                                                                                              alpine:3.16.1
 βœ”Β” Parsed image                                                                    sha256:3d81c46cd8756ddb6db9ec36fa06a6fb71c287fb265232ba516739dc67a5f07d
 βœ”Β” Cataloged contents                                                                     274a317d88b54f9e67799244a1250cad3fe7080f45249fa9167d1f871218d35f
   β”œβ”€β”€ βœ” Packages                        [14 packages]
   β”œβ”€β”€ βœ” File digests                    [75 files]
   β”œβ”€β”€ βœ” File metadata                   [75 locations]
   └── βœ” Executables                     [16 executables]
    βœ— Detected 2 vulnerable packages with a total of 11 vulnerabilities

πŸ‘‰docker scout enroll: The docker scout enroll command is used to enroll your Docker organization into Docker Scout.

Example:

$ docker scout enroll ORG

<ORG>: The name of the Docker organization you want to enroll.

πŸ‘‰ docker scout environment: The docker scout environment command is used to manage and interact with Docker Scout environments.

The docker scout environment command lists the environments. If you pass an image reference, the image is recorded to the specified environment.

Once recorded, environments can be referred to by their name. For example, you can refer to the production environment with the docker scout compare command as follows:

$ docker scout compare --to-env production

Lists all the Docker Scout environments available:

$ docker scout environment

prod
staging

List images of an environment:

$ docker scout environment staging

namespace/repo:tag@sha256:9a4df4fadc9bbd44c345e473e0688c2066a6583d4741679494ba9228cfd93e1b
namespace/other-repo:tag@sha256:0001d6ce124855b0a158569c584162097fe0ca8d72519067c2c8e3ce407c580f

Record an image to an environment, for a specific platform:

$ docker scout environment staging namespace/repo:stage-latest --platform linux/amd64

βœ“ Pulled
βœ“ Successfully recorded namespace/repo:stage-latest in environment staging

Creates a new Docker Scout environment:

$ docker scout environment create <ENVIRONMENT_NAME>

Deletes an existing Docker Scout environment:

$ docker scout environment rm <ENVIRONMENT_NAME>

πŸ‘‰ docker scout integration: Commands to list, configure, and delete Docker Scout integrations.

Subcommands:

docker scout integration configure: The docker scout integration configure command creates or updates a new integration configuration for an organization.

$ docker scout integration configure INTEGRATION

Options:

--name: Name of integration configuration to create

--org: Namespace of the Docker organization

--parameter: Integration parameters in the form of --parameter NAME=VALUE

docker scout integration delete: The docker scout integration delete command deletes a new integration configuration for an organization.

$ docker scout integration delete INTEGRATION

Options:

--name: Name of integration configuration to delete

--org: Namespace of the Docker organization

docker scout integration list: The docker scout integration list configured integrations for an organization.

$ docker scout integration list [INTEGRATION]

Options:

--name: Name of integration configuration to list

--org: Namespace of the Docker organization

Did you find this article valuable?

Support Megha Sharma's Blog by becoming a sponsor. Any amount is appreciated!

Β