diff --git a/docs/docker_scout.yaml b/docs/docker_scout.yaml
index 8dbe295..37b012f 100644
--- a/docs/docker_scout.yaml
+++ b/docs/docker_scout.yaml
@@ -20,6 +20,7 @@ cname:
- docker scout recommendations
- docker scout repo
- docker scout version
+ - docker scout vex
- docker scout watch
clink:
- docker_scout_attestation.yaml
@@ -37,6 +38,7 @@ clink:
- docker_scout_recommendations.yaml
- docker_scout_repo.yaml
- docker_scout_version.yaml
+ - docker_scout_vex.yaml
- docker_scout_watch.yaml
options:
- option: debug
diff --git a/docs/docker_scout_attestation.yaml b/docs/docker_scout_attestation.yaml
index cbe04ad..87f7211 100644
--- a/docs/docker_scout_attestation.yaml
+++ b/docs/docker_scout_attestation.yaml
@@ -1,13 +1,17 @@
command: docker scout attestation
aliases: docker scout attestation, docker scout attest
-short: Manage attestations on image indexes
-long: Manage attestations on image indexes
+short: Manage attestations on images
+long: Manage attestations on images
pname: docker scout
plink: docker_scout.yaml
cname:
- docker scout attestation add
+ - docker scout attestation get
+ - docker scout attestation list
clink:
- docker_scout_attestation_add.yaml
+ - docker_scout_attestation_get.yaml
+ - docker_scout_attestation_list.yaml
inherited_options:
- option: debug
value_type: bool
diff --git a/docs/docker_scout_attestation_get.yaml b/docs/docker_scout_attestation_get.yaml
new file mode 100644
index 0000000..94541b5
--- /dev/null
+++ b/docs/docker_scout_attestation_get.yaml
@@ -0,0 +1,123 @@
+command: docker scout attestation get
+aliases: docker scout attestation get, docker scout attest get
+short: Get attestation for image
+long: The docker scout attestation get command gets attestations for images.
+usage: docker scout attestation get OPTIONS IMAGE [DIGEST]
+pname: docker scout attestation
+plink: docker_scout_attestation.yaml
+options:
+ - option: key
+ value_type: string
+ default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub
+ description: Signature key to use for verification
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: org
+ value_type: string
+ description: Namespace of the Docker organization
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: output
+ shorthand: o
+ value_type: string
+ description: Write the report to a file
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: platform
+ value_type: string
+ description: Platform of image to analyze
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: predicate
+ value_type: bool
+ default_value: "false"
+ description: Get in-toto predicate only dropping the subject
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: predicate-type
+ value_type: string
+ description: Predicate-type for attestation
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: ref
+ value_type: string
+ description: |-
+ Reference to use if the provided tarball contains multiple references.
+ Can only be used with archive
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: skip-tlog
+ value_type: bool
+ default_value: "false"
+ description: Skip signature verification against public transaction log
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verify
+ value_type: bool
+ default_value: "false"
+ description: Verify the signature on the attestation
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/docs/docker_scout_attestation_list.yaml b/docs/docker_scout_attestation_list.yaml
new file mode 100644
index 0000000..429369d
--- /dev/null
+++ b/docs/docker_scout_attestation_list.yaml
@@ -0,0 +1,96 @@
+command: docker scout attestation list
+aliases: docker scout attestation list, docker scout attest list
+short: List attestations for image
+long: The docker scout attestation list command lists attestations for images.
+usage: docker scout attestation list OPTIONS IMAGE
+pname: docker scout attestation
+plink: docker_scout_attestation.yaml
+options:
+ - option: format
+ value_type: string
+ default_value: list
+ description: |-
+ Output format:
+ - list: list of attestations of the image
+ - json: json representation of the attestation list (default "json")
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: org
+ value_type: string
+ description: Namespace of the Docker organization
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: output
+ shorthand: o
+ value_type: string
+ description: Write the report to a file
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: platform
+ value_type: string
+ description: Platform of image to analyze
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: predicate-type
+ value_type: string
+ description: Predicate-type for attestations
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: ref
+ value_type: string
+ description: |-
+ Reference to use if the provided tarball contains multiple references.
+ Can only be used with archive
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/docs/docker_scout_compare.yaml b/docs/docker_scout_compare.yaml
index efd7ecd..dfcb4cc 100644
--- a/docs/docker_scout_compare.yaml
+++ b/docs/docker_scout_compare.yaml
@@ -95,6 +95,17 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
+ - option: ignore-suppressed
+ value_type: bool
+ default_value: "false"
+ description: |
+ Filter CVEs found in Scout exceptions based on the specified exception scope
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
- option: ignore-unchanged
value_type: bool
default_value: "false"
@@ -177,6 +188,16 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
+ - option: only-vex-affected
+ value_type: bool
+ default_value: "false"
+ description: Filter CVEs by VEX statements with status not affected
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
- option: org
value_type: string
description: Namespace of the Docker organization
@@ -264,6 +285,36 @@ options:
experimentalcli: false
kubernetes: false
swarm: false
+ - option: vex
+ value_type: bool
+ default_value: "false"
+ description: Apply VEX statements to filter CVEs
+ deprecated: true
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: vex-author
+ value_type: stringSlice
+ default_value: '[<.*@docker.com>]'
+ description: List of VEX statement authors to accept
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: vex-location
+ value_type: stringSlice
+ default_value: '[]'
+ description: File location of directory or file containing VEX statements
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
inherited_options:
- option: debug
value_type: bool
diff --git a/docs/docker_scout_cves.yaml b/docs/docker_scout_cves.yaml
index eaef8f8..d7bd9bc 100644
--- a/docs/docker_scout_cves.yaml
+++ b/docs/docker_scout_cves.yaml
@@ -359,7 +359,7 @@ options:
swarm: false
- option: vex-author
value_type: stringSlice
- default_value: '[]'
+ default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false
diff --git a/docs/docker_scout_quickview.yaml b/docs/docker_scout_quickview.yaml
index 4810146..1ff9869 100644
--- a/docs/docker_scout_quickview.yaml
+++ b/docs/docker_scout_quickview.yaml
@@ -147,7 +147,7 @@ options:
swarm: false
- option: vex-author
value_type: stringSlice
- default_value: '[]'
+ default_value: '[<.*@docker.com>]'
description: List of VEX statement authors to accept
deprecated: false
hidden: false
diff --git a/docs/docker_scout_vex.yaml b/docs/docker_scout_vex.yaml
new file mode 100644
index 0000000..f6e9444
--- /dev/null
+++ b/docs/docker_scout_vex.yaml
@@ -0,0 +1,37 @@
+command: docker scout vex
+aliases: docker scout vex, docker scout vex
+short: Manage VEX attestations on images
+long: Manage VEX attestations on images
+pname: docker scout
+plink: docker_scout.yaml
+cname:
+ - docker scout vex get
+clink:
+ - docker_scout_vex_get.yaml
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/docs/docker_scout_vex_get.yaml b/docs/docker_scout_vex_get.yaml
new file mode 100644
index 0000000..0578806
--- /dev/null
+++ b/docs/docker_scout_vex_get.yaml
@@ -0,0 +1,103 @@
+command: docker scout vex get
+short: Get VEX attestation for image
+long: The docker scout vex get command gets a VEX attestation for images.
+usage: docker scout vex get OPTIONS IMAGE
+pname: docker scout vex
+plink: docker_scout_vex.yaml
+options:
+ - option: key
+ value_type: string
+ default_value: https://registry.scout.docker.com/keyring/dhi/latest.pub
+ description: Signature key to use for verification
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: org
+ value_type: string
+ description: Namespace of the Docker organization
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: output
+ shorthand: o
+ value_type: string
+ description: Write the report to a file
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: platform
+ value_type: string
+ description: Platform of image to analyze
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: ref
+ value_type: string
+ description: |-
+ Reference to use if the provided tarball contains multiple references.
+ Can only be used with archive
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: skip-tlog
+ value_type: bool
+ default_value: "false"
+ description: Skip signature verification against public transaction log
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verify
+ value_type: bool
+ default_value: "false"
+ description: Verify the signature on the attestation
+ deprecated: false
+ hidden: false
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+inherited_options:
+ - option: debug
+ value_type: bool
+ default_value: "false"
+ description: Debug messages
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+ - option: verbose-debug
+ value_type: bool
+ default_value: "false"
+ description: Verbose debug
+ deprecated: false
+ hidden: true
+ experimental: false
+ experimentalcli: false
+ kubernetes: false
+ swarm: false
+deprecated: false
+experimental: false
+experimentalcli: true
+kubernetes: false
+swarm: false
+
diff --git a/docs/docker_scout_watch.yaml b/docs/docker_scout_watch.yaml
index 30b6dbe..2d5368c 100644
--- a/docs/docker_scout_watch.yaml
+++ b/docs/docker_scout_watch.yaml
@@ -1,9 +1,8 @@
command: docker scout watch
short: |
Watch repositories in a registry and push images and indexes to Docker Scout (experimental)
-long: |-
- The `docker scout watch` command watches repositories in a registry
- and pushes images or analysis results to Docker Scout.
+long: |
+ The docker scout watch command watches repositories in a registry and pushes images or image indexes to Docker Scout.
usage: docker scout watch
pname: docker scout
plink: docker_scout.yaml
@@ -129,30 +128,7 @@ inherited_options:
experimentalcli: false
kubernetes: false
swarm: false
-examples: |-
- ### Watch for new images from two repositories and push them
-
- ```console
- $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2
- ```
-
- ### Only push images with a specific tag
-
- ```console
- $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest
- ```
-
- ### Watch all repositories of a registry
-
- ```console
- $ docker scout watch --org my-org --registry registry.example.com
- ```
-
- ### Push all images and not just the new ones
-
- ```console
- $ docker scout watch--org my-org --repository registry.example.com/my-service --all-images
- ```
+examples: " Watch for new images from two repositories and push them\n $ docker scout watch --org my-org --repository registry-1.example.com/repo-1 --repository registry-2.example.com/repo-2\e[0m\n\n Only push images with a specific tag\n $ docker scout watch --org my-org --repository registry.example.com/my-service --tag latest\e[0m\n\n Watch all repositories of a registry\n $ docker scout watch --org my-org --registry registry.example.com\e[0m\n\n Push all images and not just the new ones\n $ docker scout watch --org my-org --repository registry.example.com/my-service --all-images\e[0m"
deprecated: false
experimental: false
experimentalcli: true
diff --git a/docs/scout.md b/docs/scout.md
index aeac72b..8b9b9e2 100644
--- a/docs/scout.md
+++ b/docs/scout.md
@@ -11,7 +11,7 @@ Command line tool for Docker Scout
| Name | Description |
|:--------------------------------------------------------------|:--------------------------------------------------------------------------------------------|
-| [`attestation`](scout_attestation.md) | Manage attestations on image indexes |
+| [`attestation`](scout_attestation.md) | Manage attestations on images |
| [`cache`](scout_cache.md) | Manage Docker Scout cache and temporary files |
| [`compare`](scout_compare.md) | Compare two images and display differences (experimental) |
| [`config`](scout_config.md) | Manage Docker Scout configuration |
@@ -29,6 +29,7 @@ Command line tool for Docker Scout
| [`sbom`](scout_sbom.md) | Generate or display SBOM of an image |
| [`stream`](scout_stream.md) | Manage streams (experimental) |
| [`version`](scout_version.md) | Show Docker Scout version information |
+| [`vex`](scout_vex.md) | Manage VEX attestations on images |
| [`watch`](scout_watch.md) | Watch repositories in a registry and push images and indexes to Docker Scout (experimental) |
diff --git a/docs/scout_attestation.md b/docs/scout_attestation.md
index d4f6bc5..dc32a6b 100644
--- a/docs/scout_attestation.md
+++ b/docs/scout_attestation.md
@@ -1,7 +1,7 @@
# docker scout attestation
-Manage attestations on image indexes
+Manage attestations on images
### Aliases
@@ -9,9 +9,11 @@ Manage attestations on image indexes
### Subcommands
-| Name | Description |
-|:----------------------------------|:-------------------------|
-| [`add`](scout_attestation_add.md) | Add attestation to image |
+| Name | Description |
+|:------------------------------------|:----------------------------|
+| [`add`](scout_attestation_add.md) | Add attestation to image |
+| [`get`](scout_attestation_get.md) | Get attestation for image |
+| [`list`](scout_attestation_list.md) | List attestations for image |
diff --git a/docs/scout_attestation_get.md b/docs/scout_attestation_get.md
new file mode 100644
index 0000000..0c98a6b
--- /dev/null
+++ b/docs/scout_attestation_get.md
@@ -0,0 +1,26 @@
+# docker scout attestation get
+
+
+Get attestation for image
+
+### Aliases
+
+`docker scout attestation get`, `docker scout attest get`
+
+### Options
+
+| Name | Type | Default | Description |
+|:-------------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------|
+| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--predicate` | | | Get in-toto predicate only dropping the subject |
+| `--predicate-type` | `string` | | Predicate-type for attestation |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--skip-tlog` | | | Skip signature verification against public transaction log |
+| `--verify` | | | Verify the signature on the attestation |
+
+
+
+
diff --git a/docs/scout_attestation_list.md b/docs/scout_attestation_list.md
new file mode 100644
index 0000000..06b33e1
--- /dev/null
+++ b/docs/scout_attestation_list.md
@@ -0,0 +1,23 @@
+# docker scout attestation list
+
+
+List attestations for image
+
+### Aliases
+
+`docker scout attestation list`, `docker scout attest list`
+
+### Options
+
+| Name | Type | Default | Description |
+|:-------------------|:---------|:--------|:------------------------------------------------------------------------------------------------------------------------------------|
+| `--format` | `string` | `list` | Output format:
- list: list of attestations of the image
- json: json representation of the attestation list (default "json") |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--predicate-type` | `string` | | Predicate-type for attestations |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+
+
+
+
diff --git a/docs/scout_compare.md b/docs/scout_compare.md
index 569dab6..0461896 100644
--- a/docs/scout_compare.md
+++ b/docs/scout_compare.md
@@ -9,28 +9,32 @@ Compare two images and display differences (experimental)
### Options
-| Name | Type | Default | Description |
-|:----------------------|:--------------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package |
-| `--format` | `string` | `text` | Output format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
|
-| `--hide-policies` | | | Hide policy status from the output |
-| `--ignore-base` | | | Filter out CVEs introduced from base image |
-| `--ignore-unchanged` | | | Filter out unchanged packages |
-| `--multi-stage` | | | Show packages from multi-stage Docker builds |
-| `--only-fixed` | | | Filter to fixable CVEs |
-| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
-| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
-| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
-| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
-| `--only-unfixed` | | | Filter to unfixed CVEs |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--to` | `string` | | Image, directory, or archive to compare to |
-| `--to-env` | `string` | | Name of environment to compare to |
-| `--to-latest` | | | Latest image processed to compare to |
-| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive. |
+| Name | Type | Default | Description |
+|:----------------------|:--------------|:--------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-x`, `--exit-on` | `stringSlice` | | Comma separated list of conditions to fail the action step if worse or changed, options are: vulnerability, policy, package |
+| `--format` | `string` | `text` | Output format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
|
+| `--hide-policies` | | | Hide policy status from the output |
+| `--ignore-base` | | | Filter out CVEs introduced from base image |
+| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
+| `--ignore-unchanged` | | | Filter out unchanged packages |
+| `--multi-stage` | | | Show packages from multi-stage Docker builds |
+| `--only-fixed` | | | Filter to fixable CVEs |
+| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
+| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
+| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
+| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
+| `--only-unfixed` | | | Filter to unfixed CVEs |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--to` | `string` | | Image, directory, or archive to compare to |
+| `--to-env` | `string` | | Name of environment to compare to |
+| `--to-latest` | | | Latest image processed to compare to |
+| `--to-ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive. |
+| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/docs/scout_cves.md b/docs/scout_cves.md
index bdb7f82..e6fd689 100644
--- a/docs/scout_cves.md
+++ b/docs/scout_cves.md
@@ -9,37 +9,37 @@ Display CVEs identified in a software artifact
### Options
-| Name | Type | Default | Description |
-|:-----------------------|:--------------|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `--details` | | | Print details on default text output |
-| `--env` | `string` | | Name of environment |
-| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
-| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
-| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
-| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
-| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
|
-| `--ignore-base` | | | Filter out CVEs introduced from base image |
-| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
-| `--locations` | | | Print package locations including file paths and layer diff_id |
-| `--multi-stage` | | | Show packages from multi-stage Docker builds |
-| `--only-base` | | | Only show CVEs introduced by the base image |
-| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
-| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
-| `--only-fixed` | | | Filter to fixable CVEs |
-| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
-| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
-| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
-| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
-| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
-| `--only-unfixed` | | | Filter to unfixed CVEs |
-| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
-| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
-| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
+| Name | Type | Default | Description |
+|:-----------------------|:--------------|:--------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `--details` | | | Print details on default text output |
+| `--env` | `string` | | Name of environment |
+| [`--epss`](#epss) | | | Display the EPSS scores and organize the package's CVEs according to their EPSS score |
+| `--epss-percentile` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified percentile (0 to 1) |
+| `--epss-score` | `float32` | `0` | Exclude CVEs with EPSS scores less than the specified value (0 to 1) |
+| `-e`, `--exit-code` | | | Return exit code '2' if vulnerabilities are detected |
+| `--format` | `string` | `packages` | Output format of the generated vulnerability report:
- packages: default output, plain text with vulnerabilities grouped by packages
- sarif: json Sarif output
- spdx: json SPDX output
- gitlab: json GitLab output
- markdown: markdown output (including some html tags like collapsible sections)
- sbom: json SBOM output
|
+| `--ignore-base` | | | Filter out CVEs introduced from base image |
+| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
+| `--locations` | | | Print package locations including file paths and layer diff_id |
+| `--multi-stage` | | | Show packages from multi-stage Docker builds |
+| `--only-base` | | | Only show CVEs introduced by the base image |
+| `--only-cisa-kev` | | | Filter to CVEs listed in the CISA KEV catalog |
+| `--only-cve-id` | `stringSlice` | | Comma separated list of CVE ids (like CVE-2021-45105) to search for |
+| `--only-fixed` | | | Filter to fixable CVEs |
+| `--only-metric` | `stringSlice` | | Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by |
+| `--only-package` | `stringSlice` | | Comma separated regular expressions to filter packages by |
+| `--only-package-type` | `stringSlice` | | Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
+| `--only-severity` | `stringSlice` | | Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
+| `--only-stage` | `stringSlice` | | Comma separated list of multi-stage Docker build stage names |
+| `--only-unfixed` | | | Filter to unfixed CVEs |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--only-vuln-packages` | | | When used with --format=only-packages ignore packages with no vulnerabilities |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/docs/scout_quickview.md b/docs/scout_quickview.md
index 3bf752a..b7e139d 100644
--- a/docs/scout_quickview.md
+++ b/docs/scout_quickview.md
@@ -9,19 +9,19 @@ Quick overview of an image
### Options
-| Name | Type | Default | Description |
-|:----------------------|:--------------|:--------|:--------------------------------------------------------------------------------------------------------|
-| `--env` | `string` | | Name of the environment |
-| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
-| `--latest` | | | Latest indexed image |
-| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
-| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
-| `--org` | `string` | | Namespace of the Docker organization |
-| `-o`, `--output` | `string` | | Write the report to a file |
-| `--platform` | `string` | | Platform of image to analyze |
-| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
-| `--vex-author` | `stringSlice` | | List of VEX statement authors to accept |
-| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
+| Name | Type | Default | Description |
+|:----------------------|:--------------|:--------------------|:--------------------------------------------------------------------------------------------------------|
+| `--env` | `string` | | Name of the environment |
+| `--ignore-suppressed` | | | Filter CVEs found in Scout exceptions based on the specified exception scope |
+| `--latest` | | | Latest indexed image |
+| `--only-policy` | `stringSlice` | | Comma separated list of policies to evaluate |
+| `--only-vex-affected` | | | Filter CVEs by VEX statements with status not affected |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--vex-author` | `stringSlice` | `[<.*@docker.com>]` | List of VEX statement authors to accept |
+| `--vex-location` | `stringSlice` | | File location of directory or file containing VEX statements |
diff --git a/docs/scout_vex.md b/docs/scout_vex.md
new file mode 100644
index 0000000..4ac3db0
--- /dev/null
+++ b/docs/scout_vex.md
@@ -0,0 +1,19 @@
+# docker scout vex
+
+
+Manage VEX attestations on images
+
+### Aliases
+
+`docker scout vex`, `docker scout vex`
+
+### Subcommands
+
+| Name | Description |
+|:--------------------------|:------------------------------|
+| [`get`](scout_vex_get.md) | Get VEX attestation for image |
+
+
+
+
+
diff --git a/docs/scout_vex_get.md b/docs/scout_vex_get.md
new file mode 100644
index 0000000..b7c9623
--- /dev/null
+++ b/docs/scout_vex_get.md
@@ -0,0 +1,20 @@
+# docker scout vex get
+
+
+Get VEX attestation for image
+
+### Options
+
+| Name | Type | Default | Description |
+|:-----------------|:---------|:-----------------------------------------------------------|:--------------------------------------------------------------------------------------------------------|
+| `--key` | `string` | `https://registry.scout.docker.com/keyring/dhi/latest.pub` | Signature key to use for verification |
+| `--org` | `string` | | Namespace of the Docker organization |
+| `-o`, `--output` | `string` | | Write the report to a file |
+| `--platform` | `string` | | Platform of image to analyze |
+| `--ref` | `string` | | Reference to use if the provided tarball contains multiple references.
Can only be used with archive |
+| `--skip-tlog` | | | Skip signature verification against public transaction log |
+| `--verify` | | | Verify the signature on the attestation |
+
+
+
+
diff --git a/docs/scout_watch.md b/docs/scout_watch.md
index 2444ce3..6fb14a1 100644
--- a/docs/scout_watch.md
+++ b/docs/scout_watch.md
@@ -49,5 +49,74 @@ $ docker scout watch --org my-org --registry registry.example.com
### Push all images and not just the new ones
```console
-$ docker scout watch--org my-org --repository registry.example.com/my-service --all-images
+$ docker scout watch --org my-org --repository registry.example.com/my-service --all-images
```
+
+### Configure Artifactory integration
+
+The following example creates a web hook endpoint for Artifactory to push new
+image events into:
+
+```console
+$ export DOCKER_SCOUT_ARTIFACTORY_API_USER=user
+$ export DOCKER_SCOUT_ARTIFACTORY_API_PASSWORD=password
+$ export DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET=foo
+
+$ docker scout watch --registry "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" --refresh-registry
+```
+
+This will launch an HTTP server on port `9000` that will receive all `component` web
+hook events, optionally validating the HMAC signature.
+
+### Configure Harbor integration
+
+The following example creates a web hook endpoint for Harbor to push new image
+events into:
+
+```console
+$ export DOCKER_SCOUT_HARBOR_API_USER=admin
+$ export DOCKER_SCOUT_HARBOR_API_PASSWORD=password
+$ export DOCKER_SCOUT_HARBOR_WEBHOOK_AUTH="token foo"
+
+$ docker scout watch --registry 'type=harbor,registry=demo.goharbor.io,api=https://demo.goharbor.io,include=*/foo/*,exclude=*/bar/*,port=9000' --refresh-registry
+```
+
+This will launch an HTTP server on port `9000` that will receive all `component` web
+hook events, optionally validating the HMAC signature.
+
+### Configure Nexus integration
+
+The following example shows how to configure Sonartype Nexus integration:
+
+```console
+$ export DOCKER_SCOUT_NEXUS_API_USER=admin
+$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124
+
+$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2"' --refresh-registry
+```
+
+This ingests all images and tags in Nexus repositories called `docker-test1`
+and `docker-test2` that match the `*/foo/*` include and `*/bar/*` exclude glob
+pattern.
+
+You can also create a web hook endpoint for Nexus to push new image events into:
+
+```console
+$ export DOCKER_SCOUT_NEXUS_API_USER=admin
+$ export DOCKER_SCOUT_NEXUS_API_PASSWORD=admin124
+$ export DOCKER_SCOUT_NEXUS_WEBHOOK_SECRET=mysecret
+
+$ docker scout watch --registry 'type=nexus,registry=localhost:8082,api=http://localhost:8081,include=*/foo/*,exclude=*/bar/*,"repository=docker-test1,docker-test2",port=9000' --refresh-registry
+```
+
+This will launch an HTTP server on port `9000` that will receive all `component` web
+hook events, optionally validating the HMAC signature.
+
+## Configure integration for other OCI registries
+
+The following example shows how to integrate an OCI registry that implements the
+`_catalog` endpoint:
+
+```console
+$ docker scout watch --registry 'type=oci,registry=registry.example.com,include=*/scout-artifact-registry/*'
+```
\ No newline at end of file