Skip to content

Releases: docker/scout-action

v1.16.1

13 Dec 16:17
@github-actions github-actions
v1.16.1
b23590d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.16.1 Latest
Marketplace
Latest
Marketplace

What's Changed

  • Fix in-toto subject digest for the docker scout attestation add command by @cdupuis

Contributors

cdupuis
Assets 2
Loading

v1.16.0

13 Dec 06:30
@github-actions github-actions
v1.16.0
This tag was signed with the committer’s verified signature.
cdupuis Christian Dupuis
GPG key ID: A1D490FDF23D8B06
Learn about vigilant mode.
2bfc559
Compare
Choose a tag to compare
v1.16.0
Marketplace
Marketplace

What's Changed

  • Add secret scanning to sbom command by @cdupuis
  • Keep original pattern to find nested matches too by @cdupuis
  • Make licenses unqiue by @cdupuis
  • Print platform in markdown output by @cdupuis
  • Normalize licenses using spdx license list by @cdupuis
  • Updates to make spdx output spec compliant by @cdupuis
  • Check dir exists before creating temp file by @chrispatrick
  • Update Go, crypto module and alpine by @cdupuis
  • Add support for attestations for images from Tanzu Application Catalog by @cdupuis
  • Fix behaviour with multi images in attest cmd by @cdupuis

Contributors

cdupuis and chrispatrick
Assets 2
Loading

v1.15.1

10 Nov 18:13
@cdupuis cdupuis
v1.15.1
6ac950e
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.15.1
Marketplace
Marketplace

What's Changed

New Contributors

Contributors

cdupuis and neilprosser
Assets 2
Loading

v1.15.0

31 Oct 10:16
@github-actions github-actions
v1.15.0
e1c0d58
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.15.0
Marketplace
Marketplace

Highlights

  • Add CycloneDX as output format for the sbom cmd 
    - name: Docker Scout
  id: docker-scout-environment
  uses: docker/scout-action@v1
  with:
    command: sbom
    image: REF
    format: cyclonedx

Bug Fixes / Improvements

  • Improve reading and caching of attestations with containerd image store.

Contributors

@cdupuis @LaurentGoderre @eunomie @felipecruz91 @dvdksn

Assets 2
Loading

v1.14.0

24 Sep 09:38
@github-actions github-actions
v1.14.0
cc6bf8d
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.14.0
Marketplace
Marketplace

Bug Fixes / Improvements

  • Fix filtering by package in cves command
  • Fix panic when analysing a file system input (with fs:// prefix)

Contributors

@ jgdavey @cdupuis @LaurentGoderre @eunomie @felipecruz91

Assets 2
Loading

v1.13.0

05 Aug 21:40
@github-actions github-actions
v1.13.0
e71a6e5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.13.0
Marketplace
Marketplace

Highlights

  • Add --only-policy filter option to quickview, policy and compare commands.
  • Add --ignore-suppressed filter option to cves and quickview commands to filter out CVEs affected by Scout suppressions.

Bug Fixes / Improvements

  • Use conditional policy name in checks.
  • Enable detection golang main module via ldflags.

Contributors

@cdupuis @LaurentGoderre @ chrispatrick@felipecruz91

Assets 2
Loading

v1.12.0

31 Jul 07:57
@github-actions github-actions
v1.12.0
d4597e4
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.12.0
Marketplace
Marketplace

Highlights

  • Only display vulnerabilities from the base image:

    uses: docker/scout-action@v1
with:
  command: cves
  image: [IMAGE]
  only-base: true

  • Account for VEX in quickview command.

    uses: docker/scout-action@v1
with:
  command: quickview
  image: [IMAGE]
  only-vex-affected: true
  vex-location: ./path/to/my.vex.json

  • Account for VEX in cves command (GitHub Actions).

    uses: docker/scout-action@v1
with:
  command: cves
  image: [IMAGE]
  only-vex-affected: true
  vex-location: ./path/to/my.vex.json

Bug Fixes / Improvements

  • Update github.com/docker/docker to v26.1.5+incompatible to fix CVE-2024-41110.
  • Update syft to 1.10.0.

Contributors

@cdupuis @LaurentGoderre @felipecruz91

Assets 2
Loading

v1.11.0

24 Jul 08:22
@github-actions github-actions
v1.11.0
c854600
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.11.0
Marketplace
Marketplace

Highlights

  • Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog. 
    uses: docker/scout-action@v1
with:
  command: cves
  image: [IMAGE]
  only-cisa-kev: true

Bug Fixes / Improvements

  • Allow VEX matching when no subcomponents.
  • Fix panic when attaching an invalid VEX document.
  • Fix SPDX document root.
  • Fix base image detection when image uses SCRATCH as the base image.

Contributors

@cdupuis @LaurentGoderre @felipecruz91

Assets 2
Loading

v1.10.0

26 Jun 08:53
@github-actions github-actions
v1.10.0
fc74943
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.10.0
Marketplace
Marketplace

Bug Fixes / Improvements

  • Fix parsing image references in SPDX statement for images with a digest
  • Support sbom:// prefix for image comparison (fixes #43) 
    uses: docker/scout-action@v1
with:
  command: compare
  image: sbom://image1.json
  to: sbom://image2.json

Contributors

@cdupuis @LaurentGoderre @mcapell @eunomie @chrispatrick @rnorton5432

Assets 2
Loading

v1.9.3

28 May 16:08
@github-actions github-actions
v1.9.3
5dae9c7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
v1.9.3
Marketplace
Marketplace

Bug Fixes

  • Fix a panic while retrieving cached SBOM

Contributor

@cdupuis

Assets 2
Loading