Docker Scout Commands โ Part 1
Megha Sharma
๐ docker scout attest: The docker scout attest command is used to generate and store attestations for container images. Attestations are cryptographic statements that assert facts about a container image, such as the results of a security scan or compliance check.
$ docker scout attest <image> --output <file>
Explain
<image>: The name of the container image you want to create an attestation for.--output <file>: Specifies the output file where the attestation will be stored.
Example
$ docker scout attest my-app:latest --output attestation.json
This command will analyze the specified container image and generate an attestation that includes details about the image, such as security vulnerabilities and compliance checks. The attestation is then saved in the specified file in JSON format.
The docker scout attest command may include additional options or flags to customize the attestation process. For the most up-to-date and detailed information about available options, it's recommended to refer to the Docker Scout documentation or use the --help flag:
$ docker scout attest --help
๐ docker scout attestation add: The docker scout attestation add command is used to add an attestation to a container image.
Example:
To add a vulnerability scan attestation to an image named my-app:latest:
Create a predicate file (e.g., vuln-scan.json):
{
"scanResults": {
"vulnerabilities": [
{
"id": "CVE-2021-1234",
"severity": "HIGH",
"description": "Example vulnerability"
}
]
}
}
Run the attestation add command:
$ docker scout attestation add my-app:latest --attestor user@example.com --predicate-type vuln --predicate-path vuln-scan.json
docker scout attestation add: Initiates the process to add an attestation to a specified Docker image.my-app:latest: The name and tag of the Docker image to which the attestation is being added.--attestoruser@example.com: The entity that is attesting to the information. This could be an email address or another identifier for the entity.--predicate-type vuln: Specifies that the type of attestation being added is related to vulnerabilities.--predicate-path vuln-scan.json: The path to the file containing the predicate data (in this case, the results of a vulnerability scan).
Options:
--file: File location of attestations to attach
--predicate-type: Predicate-type for attestations
๐docker scout cache: The docker scout cache command is used to manage the local cache that Docker Scout uses to store data about images and their analysis. This can be useful for improving performance and ensuring that Docker Scout has up-to-date information.
Subcommands:
docker scout cache list: This command lists the current contents of the cache, providing information about what data is stored locally.
$ docker scout cache list
docker scout cache clean: This command is used to clear the cache. It removes all cached data, which can be useful if you want to ensure that Docker Scout re-fetches all information for images.
$ docker scout cache clean
docker scout cache df:The docker scout cache df command is used to display information about the disk usage of the Docker Scout cache. This command provides an overview of how much disk space is being used by the cached data that Docker Scout stores locally.
Docker Scout uses a temporary cache storage for generating image SBOMs. The cache helps avoid regenerating or fetching resources unnecessarily.
This docker scout cache df command shows the cached data on the host. Each cache entry is identified by the digest of the image.
Examples:
List temporary and cache files
$ docker scout cache df
Docker Scout temporary directory to generate SBOMs is located at:
/var/folders/dw/d6h9w2sx6rv3lzwwgrnx7t5h0000gp/T/docker-scout
this path can be configured using the DOCKER_SCOUT_CACHE_DIR environment variable
Image Digest โ Size
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโ
sha256:c41ab5c992deb4fe7e5da09f67a8804a46bd0592bfdf0b1847dde0e0889d2bff โ 21 kB
Total: 21 kB
Docker Scout cached SBOMs are located at:
/Users/user/.docker/scout/sbom
Image Digest โ Size of SBOM
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโ
sha256:02bb6f428431fbc2809c5d1b41eab5a68350194fb508869a33cb1af4444c9b11 โ 42 kB
sha256:03fc002fe4f370463a8f04d3a288cdffa861e462fc8b5be44ab62b296ad95183 โ 100 kB
sha256:088134dd33e4a2997480a1488a41c11abebda465da5cf7f305a0ecf8ed494329 โ 194 kB
sha256:0b80b2f17aff7ee5bfb135c69d0d6fe34070e89042b7aac73d1abcc79cfe6759 โ 852 kB
sha256:0c9e8abe31a5f17d84d5c85d3853d2f948a4f126421e89e68753591f1b6fedc5 โ 930 kB
sha256:0d49cae0723c8d310e413736b5e91e0c59b605ade2546f6e6ef8f1f3ddc76066 โ 510 kB
sha256:0ef04748d071c2e631bb3edce8f805cb5512e746b682c83fdae6d8c0b243280b โ 1.0 MB
sha256:13fd22925b638bb7d2131914bb8f8b0f5f582bee364aec682d9e7fe722bb486a โ 42 kB
sha256:174c41d4fbc7f63e1f2bb7d2f7837318050406f2f27e5073a84a84f18b48b883 โ 115 kB
Total: 4 MB
docker scout cache prune: The docker scout cache prune command removes temporary data and SBOM cache.
By default, docker scout cache prune only deletes temporary data. To delete temporary data and clear the SBOM cache, use the --sboms flag.
Examples:
Delete temporary data
$ docker scout cache prune
? Are you sure to delete all temporary data? Yes
โ temporary data deleted
Delete temporary and cache data
$ docker scout cache prune --sboms
? Are you sure to delete all temporary data and all cached SBOMs? Yes
โ temporary data deleted
โ cached SBOMs deleted
๐ docker scout compare: The docker scout compare command is used to compare the contents and security attributes of two container images. This can help identify differences in vulnerabilities, software dependencies, and other aspects between the images.
The docker scout compare command analyzes two images and displays a comparison.
The intended use of this command is to compare two versions of the same image. For instance, when a new image is built and compared to the version running in production.
If no image is specified, the most recently built image is used as a comparison target.
The following artifact types are supported:
Images
OCI layout directories
Tarball archives, as created by
docker saveLocal directory or file
By default, the tool expects an image reference, such as:
rediscurlimages/curl:7.87.0mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:
image://(default) use a local image, or fall back to a registry lookuplocal://use an image from the local image store (don't do a registry lookup)registry://use an image from a registry (don't use a local image)oci-dir://use an OCI layout directoryarchive://use a tarball archive, as created bydocker savefs://use a local directory or file
Examples:
To compare two container images named my-app:v1 and my-app:v2, you would use the following command:
$ docker scout compare my-app:v1 my-app:v2
This command will analyze both images and provide a comparison of their contents, including:
Differences in software vulnerabilities.
Variances in software dependencies.
Any other relevant security attributes or metadata.
Compare the most recently built image to the latest tag:
$ docker scout compare --to namespace/repo:latest
Compare local build to the same tag from the registry:
$ docker scout compare local://namespace/repo:latest --to registry://namespace/repo:latest
Generate a markdown output:
$ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre
Only compare maven packages and only display critical vulnerabilities for maven packages:
$ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre
Show all policy results for both images:
$ docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre
๐ docker scout config: The docker scout config command allows you to view or modify Docker Scout configuration settings. These settings can include various parameters related to Docker Scout's behavior and functionality.
docker scout config allows you to list, get and set Docker Scout configuration.
List existing configuration:
$ docker scout config
organization=my-org-namespace
Available configuration key:
organization: Namespace of the Docker organization to be used by default.
Print configuration value:
$ docker scout config organization
my-org-namespace
Set configuration value:
$ docker scout config organization my-org-namespace
โ Successfully set organization to my-org-namespace
Subscribe to my newsletter
Read articles from Megha Sharma directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Megha Sharma
Megha Sharma
๐ Hi there! I'm a DevOps enthusiast with a deep passion for all things Cloud Native. I thrive on learning and exploring new technologies, always eager to expand my knowledge and skills. Let's connect, collaborate, and grow together as we navigate the ever-evolving tech landscape! SKILLS: ๐น Languages & Runtimes: Python, Shell Scripting, YAML ๐น Cloud Technologies: AWS, Microsoft Azure, GCP ๐น Infrastructure Tools: Docker, Terraform, AWS CloudFormation ๐น Other Tools: Linux, Git and GitHub, Jenkins, Docker, Kubernetes, Ansible, Prometheus, Grafana