Docker Scout Commands — Part 3

Docker Scout Commands — Part 3

👉 docker scout push: The docker scout push command lets you push an image or analysis result to Docker Scout.

The docker scout push command is used to push the results of a Docker Scout analysis to a remote registry or a central server where you can manage and review the security reports of your container images. This is particularly useful for integrating with centralized security dashboards or compliance tools.

Examples:

Push the analysis results of a specific image to a remote registry:

$ docker scout push --org my-org registry.example.com/repo:tag
  • docker scout push: The command to push Docker Scout analysis results.

  • --org my-org: Specifies the organization within the registry to which the results will be pushed.

  • registry.example.com/repo:tag: The destination registry and repository, including the tag of the image.

Options:

--author: Name of the author of the image

--org: Namespace of the Docker organization to which image will be pushed

-o, --output: Write the report to a file

--platform: Platform of image to be pushed

--sbom: Create and upload SBOMs

--timestamp: Timestamp of image or tag creation

👉 docker scout quickview: The docker scout quickview command displays a quick overview of an image. It displays a summary of the vulnerabilities in the specified image and vulnerabilities from the base image. If available, it also displays base image refresh and update recommendations.

If no image is specified, the most recently built image is used.

Artifact types are supported:

  • Images

  • OCI layout directories

  • Tarball archives, as created by docker save

  • Local directory or file

By default, the tool expects an image reference, such as:

  • redis

  • curlimages/curl:7.87.0

  • mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

  • image:// (default) use a local image, or fall back to a registry lookup

  • local:// use an image from the local image store (don't do a registry lookup)

  • registry:// use an image from a registry (don't use a local image)

  • oci-dir:// use an OCI layout directory

  • archive:// use a tarball archive, as created by docker save

  • fs:// use a local directory or file

  • sbom:// SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file In case of sbom:// prefix, if the file is not defined then it will try to read it from the standard input.

Examples:

Quick overview of an image:

$ docker scout quickview golang:1.19.4
    ...Pulling
     ✓ Pulled
     ✓ SBOM of image already cached, 278 packages indexed

  Your image  golang:1.19.4                          │    5C     3H     6M    63L
  Base image  buildpack-deps:bullseye-scm            │    5C     1H     3M    48L     6?
  Refreshed base image  buildpack-deps:bullseye-scm  │    0C     0H     0M    42L
                                                     │    -5     -1     -3     -6     -6
  Updated base image  buildpack-deps:sid-scm         │    0C     0H     1M    29L
                                                     │     -5     -1     -2    -19    -6

Quick overview of the most recently built image:

$ docker scout qv

Quick overview from an SPDX file:

$ syft -o spdx-json alpine:3.16.1 | docker scout quickview sbom://

 ✔ Loaded image                                                                                                                              alpine:3.16.1
 ✔ Parsed image                                                                    sha256:3d81c46cd8756ddb6db9ec36fa06a6fb71c287fb265232ba516739dc67a5f07d
 ✔ Cataloged contents                                                                     274a317d88b54f9e67799244a1250cad3fe7080f45249fa9167d1f871218d35f
   ├── ✔ Packages                        [14 packages]
   ├── ✔ File digests                    [75 files]
   ├── ✔ File metadata                   [75 locations]
   └── ✔ Executables                     [16 executables]

  Target   │ <stdin>        │    1C     2H     8M     0L
    digest │  274a317d88b5  │

👉 docker scout recommendations: The docker scout recommendations command display recommendations for base images updates. It analyzes the image and display recommendations to refresh or update the base image. For each recommendation it shows a list of benefits, such as fewer vulnerabilities or smaller image size.

If no image is specified, the most recently built image is used.

The following artifact types are supported:

  • Images

  • OCI layout directories

  • Tarball archives, as created by docker save

  • Local directory or file

By default, the tool expects an image reference, such as:

  • redis

  • curlimages/curl:7.87.0

  • mcr.microsoft.com/dotnet/runtime:7.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

  • image:// (default) use a local image, or fall back to a registry lookup

  • local:// use an image from the local image store (don't do a registry lookup)

  • registry:// use an image from a registry (don't use a local image)

  • oci-dir:// use an OCI layout directory

  • archive:// use a tarball archive, as created by docker save

  • fs:// use a local directory or file

Examples:

Display base image update recommendations:

$ docker scout recommendations golang:1.19.4

Display base image refresh only recommendations:

$ docker scout recommendations --only-refresh golang:1.19.4

Display base image update only recommendations:

$ docker scout recommendations --only-update golang:1.19.4

Options:

--only-refresh: Only display base image refresh recommendations

--only-update: Only display base image update recommendations

--org: Namespace of the Docker organization

-o, --output: Write the report to a file

--platform: Platform of image to analyze

--ref: Reference to use if the provided tarball contains multiple references. Can only be used with archive

--tag: Specify tag

👉 docker scout repo: The docker scout repo Commands to list, enable, and disable Docker Scout on repositories.

Subcommands:

docker scout repo disable: The docker scout repo disable command disables Docker Scout on repositories.

Options:

--all: Disable all repositories of the organization. Can not be used with --filter.
--filter: Regular expression to filter repositories by name

--integration: Name of the integration to use for enabling an image

--org: Namespace of the Docker organization--registryContainer Registry

Examples:

Disable a specific repository:

$ docker scout repo disable my/repository

Disable all repositories of the organization:

$ docker scout repo disable --all

Disable some repositories based on a filter:

$ docker scout repo disable --filter namespace/backend

Disable a repository from a specific registry:

$ docker scout repo disable my/repository --registry 123456.dkr.ecr.us-east-1.amazonaws.com

docker scout repo enable: The docker scout repo enable command enables Docker Scout on repositories.

Examples:

Enable a specific repository:

$ docker scout repo enable my/repository

Enable all repositories of the organization:

$ docker scout repo enable --all

Enable some repositories based on a filter:

$ docker scout repo enable --filter namespace/backend

Enable a repository from a specific registry:

$ docker scout repo enable my/repository --registry 123456.dkr.ecr.us-east-1.amazonaws.com

docker scout repo list: The docker scout repo list command shows all repositories in an organization.

If ORG is not provided the default configured organization will be used.

$ docker scout repo list

👉 docker scout sbom: The docker scout sbom command analyzes a software artifact to generate a Software Bill Of Materials (SBOM).

The SBOM contains a list of all packages in the image. You can use the --format flag to filter the output of the command to display only packages of a specific type.

If no image is specified, the most recently built image is used.

Examples:

Display the list of packages:

$ docker scout sbom --format list alpine

Only display packages of a specific type:

$ docker scout sbom --format list --only-package-type apk alpine

Display the full SBOM in JSON format:

$ docker scout sbom alpine

Display the full SBOM of the most recently built image:

$ docker scout sbom

Write SBOM to a file:

$ docker scout sbom --output alpine.sbom alpine

👉 docker scout version: The docker scout version command is used to display the current version of Docker Scout installed on your system.

Examples:

$ docker scout version

      ⢀⢀⢀             ⣀⣀⡤⣔⢖⣖⢽⢝
   ⡠⡢⡣⡣⡣⡣⡣⡣⡢⡀    ⢀⣠⢴⡲⣫⡺⣜⢞⢮⡳⡵⡹⡅
  ⡜⡜⡜⡜⡜⡜⠜⠈⠈        ⠁⠙⠮⣺⡪⡯⣺⡪⡯⣺
 ⢘⢜⢜⢜⢜⠜               ⠈⠪⡳⡵⣹⡪⠇
 ⠨⡪⡪⡪⠂    ⢀⡤⣖⢽⡹⣝⡝⣖⢤⡀    ⠘⢝⢮⡚       _____                 _
  ⠱⡱⠁    ⡴⡫⣞⢮⡳⣝⢮⡺⣪⡳⣝⢦    ⠘⡵⠁      / ____| Docker        | |
   ⠁    ⣸⢝⣕⢗⡵⣝⢮⡳⣝⢮⡺⣪⡳⣣    ⠁      | (___   ___ ___  _   _| |_
        ⣗⣝⢮⡳⣝⢮⡳⣝⢮⡳⣝⢮⢮⡳            \___ \ / __/ _ \| | | | __|
   ⢀    ⢱⡳⡵⣹⡪⡳⣝⢮⡳⣝⢮⡳⡣⡏    ⡀       ____) | (_| (_) | |_| | |_
  ⢀⢾⠄    ⠫⣞⢮⡺⣝⢮⡳⣝⢮⡳⣝⠝    ⢠⢣⢂     |_____/ \___\___/ \__,_|\__|
  ⡼⣕⢗⡄    ⠈⠓⠝⢮⡳⣝⠮⠳⠙     ⢠⢢⢣⢣
 ⢰⡫⡮⡳⣝⢦⡀              ⢀⢔⢕⢕⢕⢕⠅
 ⡯⣎⢯⡺⣪⡳⣝⢖⣄⣀        ⡀⡠⡢⡣⡣⡣⡣⡣⡃
⢸⢝⢮⡳⣝⢮⡺⣪⡳⠕⠗⠉⠁    ⠘⠜⡜⡜⡜⡜⡜⡜⠜⠈
⡯⡳⠳⠝⠊⠓⠉             ⠈⠈⠈⠈



version: v1.0.9 (go1.21.3 - darwin/arm64)
git commit: 8bf95bf60d084af341f70e8263342f71b0a3cd16

👉 docker scout watch: The docker scout watch command watches repositories in a registry and pushes images or analysis results to Docker Scout.

Options:

--all-images: Push all images instead of only the ones pushed during the watch command is running
--dry-run: Watch images and prepare them, but do not push them

--interval60: Interval in seconds between checks

--org: Namespace of the Docker organization to which image will be pushed

--refresh-registry: Refresh the list of repositories of a registry at every run. Only with --registry.
--registry: Registry to watch

--repository: Repository to watch

--sbomtrue: Create and upload SBOMs

--tag: Regular expression to match tags to watch

--workers3: Number of concurrent workers

Examples:

Watch for new images from two repositories and push them:

$ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2

Only push images with a specific tag:

$ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest

Watch all repositories of a registry:

$ docker scout watch --org my-org --registry registry.example.com

Push all images and not just the new ones:

$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images

Did you find this article valuable?

Support Megha Sharma's Blog by becoming a sponsor. Any amount is appreciated!