Releases: docker/scout-action
Releases · docker/scout-action
v1.14.0
Bug Fixes / Improvements
- Fix filtering by package in
cves
command - Fix panic when analysing a file system input (with
fs://
prefix)
Contributors
v1.13.0
Highlights
- Add
--only-policy
filter option toquickview
,policy
andcompare
commands. - Add
--ignore-suppressed
filter option tocves
andquickview
commands to filter out CVEs affected by Scout suppressions.
Bug Fixes / Improvements
- Use conditional policy name in checks.
- Enable detection golang main module via ldflags.
Contributors
v1.12.0
Highlights
-
Only display vulnerabilities from the base image:
uses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-base: true
-
Account for VEX in
quickview
command.uses: docker/scout-action@v1 with: command: quickview image: [IMAGE] only-vex-affected: true vex-location: ./path/to/my.vex.json
-
Account for VEX in
cves
command (GitHub Actions).uses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-vex-affected: true vex-location: ./path/to/my.vex.json
Bug Fixes / Improvements
- Update
github.com/docker/docker
tov26.1.5+incompatible
to fix CVE-2024-41110. - Update syft to 1.10.0.
Contributors
v1.11.0
Highlights
- Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.
uses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-cisa-kev: true
Bug Fixes / Improvements
- Allow VEX matching when no subcomponents.
- Fix panic when attaching an invalid VEX document.
- Fix SPDX document root.
- Fix base image detection when image uses SCRATCH as the base image.
Contributors
v1.10.0
Bug Fixes / Improvements
- Fix parsing image references in SPDX statement for images with a digest
- Support
sbom://
prefix for image comparison (fixes #43)uses: docker/scout-action@v1 with: command: compare image: sbom://image1.json to: sbom://image2.json
Contributors
v1.9.3
v1.9.1
v1.8.0
Highlights
- Add new
attestation-add
command to GHA
This can be used to add Vex documents to images for instance. See the documentation on how to suppress image vulnerabilities with VEXuses: docker/scout-action@v1 with: command: attestation-add image: IMAGE file: in-toto.vex.json predicate-type: https://openvex.dev/ns/v0.2.0
Bug Fixes / Improvements
- Improve format of EPSS score and percentile
- Before:
EPSS Score : 0.000440 EPSS Percentile : 0.092510
- After:
EPSS Score : 0.04% EPSS Percentile : 9th percentile
- Before:
- Fix
cves
command when used to analyse a local file system with a markdown output
Contributors
v1.7.0
Highlights
- Allow to specify format (
json
,list
,spdx
) and output file onsbom
commanduses: docker/scout-action@v1 with: command: sbom image: alpine format: list output: alpine_package_list.txt
Bug Fixes / Improvements
- Fix adding attestation (like vex statements) to a private image
- fix image processing for
scratch
"images" - Add classifier for Joomla