👉 docker scout push: The docker scout push
command lets you push an image or analysis result to Docker Scout.
The docker scout push
command is used to push the results of a Docker Scout analysis to a remote registry or a central server where you can manage and review the security reports of your container images. This is particularly useful for integrating with centralized security dashboards or compliance tools.
Examples:
Push the analysis results of a specific image to a remote registry:
$ docker scout push --org my-org registry.example.com/repo:tag
docker scout push
: The command to push Docker Scout analysis results.--org my-org
: Specifies the organization within the registry to which the results will be pushed.registry.example.com/repo:tag
:The destination registry and repository, including the tag of the image.
Options:
--author:
Name of the author of the image
--org:
Namespace of the Docker organization to which image will be pushed
-o, --output:
Write the report to a file
--platform:
Platform of image to be pushed
--sbom:
Create and upload SBOMs
--timestamp:
Timestamp of image or tag creation
👉 docker scout quickview: The docker scout quickview
command displays a quick overview of an image. It displays a summary of the vulnerabilities in the specified image and vulnerabilities from the base image. If available, it also displays base image refresh and update recommendations.
If no image is specified, the most recently built image is used.
Artifact types are supported:
Images
OCI layout directories
Tarball archives, as created by
docker save
Local directory or file
By default, the tool expects an image reference, such as:
redis
curlimages/curl:7.87.0
mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:
image://
(default) use a local image, or fall back to a registry lookuplocal://
use an image from the local image store (don't do a registry lookup)registry://
use an image from a registry (don't use a local image)oci-dir://
use an OCI layout directoryarchive://
use a tarball archive, as created bydocker save
fs://
use a local directory or filesbom://
SPDX file or in-toto attestation file with SPDX predicate orsyft
json SBOM file In case ofsbom://
prefix, if the file is not defined then it will try to read it from the standard input.
Examples:
Quick overview of an image:
$ docker scout quickview golang:1.19.4
...Pulling
✓ Pulled
✓ SBOM of image already cached, 278 packages indexed
Your image golang:1.19.4 │ 5C 3H 6M 63L
Base image buildpack-deps:bullseye-scm │ 5C 1H 3M 48L 6?
Refreshed base image buildpack-deps:bullseye-scm │ 0C 0H 0M 42L
│ -5 -1 -3 -6 -6
Updated base image buildpack-deps:sid-scm │ 0C 0H 1M 29L
│ -5 -1 -2 -19 -6
Quick overview of the most recently built image:
$ docker scout qv
Quick overview from an SPDX file:
$ syft -o spdx-json alpine:3.16.1 | docker scout quickview sbom://
✔ Loaded image alpine:3.16.1
✔ Parsed image sha256:3d81c46cd8756ddb6db9ec36fa06a6fb71c287fb265232ba516739dc67a5f07d
✔ Cataloged contents 274a317d88b54f9e67799244a1250cad3fe7080f45249fa9167d1f871218d35f
├── ✔ Packages [14 packages]
├── ✔ File digests [75 files]
├── ✔ File metadata [75 locations]
└── ✔ Executables [16 executables]
Target │ <stdin> │ 1C 2H 8M 0L
digest │ 274a317d88b5 │
👉 docker scout recommendations: The docker scout recommendations
command display recommendations for base images updates. It analyzes the image and display recommendations to refresh or update the base image. For each recommendation it shows a list of benefits, such as fewer vulnerabilities or smaller image size.
If no image is specified, the most recently built image is used.
The following artifact types are supported:
Images
OCI layout directories
Tarball archives, as created by
docker save
Local directory or file
By default, the tool expects an image reference, such as:
redis
curlimages/curl:7.87.0
mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:
image://
(default) use a local image, or fall back to a registry lookuplocal://
use an image from the local image store (don't do a registry lookup)registry://
use an image from a registry (don't use a local image)oci-dir://
use an OCI layout directoryarchive://
use a tarball archive, as created bydocker save
fs://
use a local directory or file
Examples:
Display base image update recommendations:
$ docker scout recommendations golang:1.19.4
Display base image refresh only recommendations:
$ docker scout recommendations --only-refresh golang:1.19.4
Display base image update only recommendations:
$ docker scout recommendations --only-update golang:1.19.4
Options:
--only-refresh:
Only display base image refresh recommendations
--only-update:
Only display base image update recommendations
--org:
Namespace of the Docker organization
-o, --output:
Write the report to a file
--platform:
Platform of image to analyze
--ref:
Reference to use if the provided tarball contains multiple references. Can only be used with archive
--tag:
Specify tag
👉 docker scout repo: The docker scout repo
Commands to list, enable, and disable Docker Scout on repositories.
Subcommands:
docker scout repo disable: The docker scout repo disable command disables Docker Scout on repositories.
Options:
--all:
Disable all repositories of the organization. Can not be used with --filter.--filter:
Regular expression to filter repositories by name
--integration:
Name of the integration to use for enabling an image
--org:
Namespace of the Docker organization--registry
Container Registry
Examples:
Disable a specific repository:
$ docker scout repo disable my/repository
Disable all repositories of the organization:
$ docker scout repo disable --all
Disable some repositories based on a filter:
$ docker scout repo disable --filter namespace/backend
Disable a repository from a specific registry:
$ docker scout repo disable my/repository --registry 123456.dkr.ecr.us-east-1.amazonaws.com
docker scout repo enable: The docker scout repo enable command enables Docker Scout on repositories.
Examples:
Enable a specific repository:
$ docker scout repo enable my/repository
Enable all repositories of the organization:
$ docker scout repo enable --all
Enable some repositories based on a filter:
$ docker scout repo enable --filter namespace/backend
Enable a repository from a specific registry:
$ docker scout repo enable my/repository --registry 123456.dkr.ecr.us-east-1.amazonaws.com
docker scout repo list: The docker scout repo list command shows all repositories in an organization.
If ORG is not provided the default configured organization will be used.
$ docker scout repo list
👉 docker scout sbom: The docker scout sbom
command analyzes a software artifact to generate a Software Bill Of Materials (SBOM).
The SBOM contains a list of all packages in the image. You can use the --format
flag to filter the output of the command to display only packages of a specific type.
If no image is specified, the most recently built image is used.
Examples:
Display the list of packages:
$ docker scout sbom --format list alpine
Only display packages of a specific type:
$ docker scout sbom --format list --only-package-type apk alpine
Display the full SBOM in JSON format:
$ docker scout sbom alpine
Display the full SBOM of the most recently built image:
$ docker scout sbom
Write SBOM to a file:
$ docker scout sbom --output alpine.sbom alpine
👉 docker scout version: The docker scout version
command is used to display the current version of Docker Scout installed on your system.
Examples:
$ docker scout version
⢀⢀⢀ ⣀⣀⡤⣔⢖⣖⢽⢝
⡠⡢⡣⡣⡣⡣⡣⡣⡢⡀ ⢀⣠⢴⡲⣫⡺⣜⢞⢮⡳⡵⡹⡅
⡜⡜⡜⡜⡜⡜⠜⠈⠈ ⠁⠙⠮⣺⡪⡯⣺⡪⡯⣺
⢘⢜⢜⢜⢜⠜ ⠈⠪⡳⡵⣹⡪⠇
⠨⡪⡪⡪⠂ ⢀⡤⣖⢽⡹⣝⡝⣖⢤⡀ ⠘⢝⢮⡚ _____ _
⠱⡱⠁ ⡴⡫⣞⢮⡳⣝⢮⡺⣪⡳⣝⢦ ⠘⡵⠁ / ____| Docker | |
⠁ ⣸⢝⣕⢗⡵⣝⢮⡳⣝⢮⡺⣪⡳⣣ ⠁ | (___ ___ ___ _ _| |_
⣗⣝⢮⡳⣝⢮⡳⣝⢮⡳⣝⢮⢮⡳ \___ \ / __/ _ \| | | | __|
⢀ ⢱⡳⡵⣹⡪⡳⣝⢮⡳⣝⢮⡳⡣⡏ ⡀ ____) | (_| (_) | |_| | |_
⢀⢾⠄ ⠫⣞⢮⡺⣝⢮⡳⣝⢮⡳⣝⠝ ⢠⢣⢂ |_____/ \___\___/ \__,_|\__|
⡼⣕⢗⡄ ⠈⠓⠝⢮⡳⣝⠮⠳⠙ ⢠⢢⢣⢣
⢰⡫⡮⡳⣝⢦⡀ ⢀⢔⢕⢕⢕⢕⠅
⡯⣎⢯⡺⣪⡳⣝⢖⣄⣀ ⡀⡠⡢⡣⡣⡣⡣⡣⡃
⢸⢝⢮⡳⣝⢮⡺⣪⡳⠕⠗⠉⠁ ⠘⠜⡜⡜⡜⡜⡜⡜⠜⠈
⡯⡳⠳⠝⠊⠓⠉ ⠈⠈⠈⠈
version: v1.0.9 (go1.21.3 - darwin/arm64)
git commit: 8bf95bf60d084af341f70e8263342f71b0a3cd16
👉 docker scout watch: The docker scout watch
command watches repositories in a registry and pushes images or analysis results to Docker Scout.
Options:
--all-images:
Push all images instead of only the ones pushed during the watch command is running--dry-run:
Watch images and prepare them, but do not push them
--interval60:
Interval in seconds between checks
--org:
Namespace of the Docker organization to which image will be pushed
--refresh-registry:
Refresh the list of repositories of a registry at every run. Only with --registry.--registry:
Registry to watch
--repository:
Repository to watch
--sbomtrue:
Create and upload SBOMs
--tag:
Regular expression to match tags to watch
--workers3:
Number of concurrent workers
Examples:
Watch for new images from two repositories and push them:
$ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2
Only push images with a specific tag:
$ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest
Watch all repositories of a registry:
$ docker scout watch --org my-org --registry registry.example.com
Push all images and not just the new ones:
$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images