v1.16.1

What's Changed

• Fix in-toto subject digest for the docker scout attestation add command by @cdupuis

v1.16.0

What's Changed

• Add secret scanning to sbom command by @cdupuis
• Keep original pattern to find nested matches too by @cdupuis
• Make licenses unqiue by @cdupuis
• Print platform in markdown output by @cdupuis
• Normalize licenses using spdx license list by @cdupuis
• Updates to make spdx output spec compliant by @cdupuis
• Check dir exists before creating temp file by @chrispatrick
• Update Go, crypto module and alpine by @cdupuis
• Add support for attestations for images from Tanzu Application Catalog by @cdupuis
• Fix behaviour with multi images in attest cmd by @cdupuis

v1.15.1

What's Changed

• Bug fixes by @cdupuis

New Contributors

• @neilprosser made their first contribution

v1.15.0

Highlights

• Add CycloneDX as output format for the sbom cmd

  $ docker scout sbom --format cyclonedx REF
  

Bug Fixes / Improvements

• Support to enable/disable repositories that were enabled via docker scout push or docker scout watch.
• Use high-to-low sort order for cves summary
  • Before:
    
  • After:
    
• Improve messaging when analysing oci directories without attentions. Only single arch image and multi arch image with attestations are supported. Multi arch image without attestation is not supported.
• Improve classifiers and sbom scanner:
  • Add classifier for liquibase lpm
  • Add support for buildkit extra sbom scanner args.
  • Add Rakudo Star/MoarVM binary classifier
  • Add binary classifiers for silverpeas utilities
• Improve reading and caching of attestations with containerd image store.

---

Contributors

v1.14.0

Highlights

• Add suppression information at the CVE level in the cves command.
  Accepted risk
  
  False positive
  
  Read more on how to manage vulnerability exceptions

Bug Fixes / Improvements

• Fix listing CVEs for dangling images (i.e local://sha256:...)
• Fix panic when analysing a file system input, for instance with docker scout cves fs://.

---

Contributors

v1.13.0

Highlights

• Add --only-policy filter option to quickview, policy and compare commands.
• Add --ignore-suppressed filter option to cves and quickview commands to filter out CVEs affected by Scout suppressions.

Bug Fixes / Improvements

• Use conditional policy name in checks.
• Enable detection golang main module via ldflags.

---

Contributors

v1.12.0

Highlights

• Only display vulnerabilities from the base image:

  $ docker scout cves --only-base IMAGE

• Account for VEX in quickview command.

  $ docker scout quickview IMAGE --only-vex-affected --vex-location ./path/to/my.vex.json

  uses: docker/scout-action@v1
  with:
    command: quickview
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json

• Account for VEX in cves command (GitHub Actions).

  uses: docker/scout-action@v1
  with:
    command: cves
    image: [IMAGE]
    only-vex-affected: true
    vex-location: ./path/to/my.vex.json

Bug Fixes / Improvements

• Update github.com/docker/docker to v26.1.5+incompatible to fix CVE-2024-41110.
• Update syft to 1.10.0.

---

Contributors

v1.11.0

Highlights

• Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.

  $ docker scout cves [IMAGE] --only-cisa-kev
  
  ... (cropped output) ...
  ## Packages and Vulnerabilities
  
  0C     1H     0M     0L  io.netty/netty-codec-http2 4.1.97.Final
  pkg:maven/io.netty/[email protected]
  
  ✗ HIGH CVE-2023-44487  CISA KEV  [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
    https://scout.docker.com/v/CVE-2023-44487
    Affected range  : <4.1.100
    Fixed version   : 4.1.100.Final
    CVSS Score      : 7.5
    CVSS Vector     : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  ... (cropped output) ...

• Add --dry-run flag for docker scout push command to not push the image but process it.

• Switch to Scout v2 manifest format (application/vnd.scout.manifest.v2+json) using base64-encoded objects.

• Add new binary classifiers for spiped, swift, eclipse-mosquitto and znc.

Bug Fixes / Improvements

• Allow VEX matching when no subcomponents.
• Fix panic when attaching an invalid VEX document.
• Fix SPDX document root.
• Fix base image detection when image uses SCRATCH as the base image.

---

Contributors

v1.10.0

Bug Fixes / Improvements

• Add new classifiers for irssi, Backdrop, CrateDB CLI (Crash), monica, Openliberty, dumb-init, friendica, redmine
• Fix whitespace only originator on package breaking buildkit exporters
• Fix parsing image references in SPDX statement for images with a digest
• Support sbom:// prefix for image comparison

  $ docker scout compare sbom://image1.json --to sbom://image2.json

---

Contributors

v1.9.3

Bug Fixes

• Fix a panic while retrieving cached SBOM

---

Contributor