Docker Scout is a collection of software supply chain features that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.
How does it work?
Docker Scout is a feature of the Docker Desktop that provides detailed insights into the composition and security of container images. It uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.
Can I run Docker Scout as CLI?
Yes, Docker scout CLI plugin is available by default on Docker Desktop starting with version 4.17.
Docker Scout is available through multiple interfaces, including the Docker Desktop and Docker Hub user interfaces, as well as a web-based user interface and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.
Is it possible to run Docker Scout on my Linux system?
To install, run the following command in your terminal:
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
Manual Installation
Download the docker-scout binary corresponding to your platform from the latest or other releases. Uncompress it & Copy it in your local CLI plugin directory. Finally, you need to make it executable on Linux and macOS
chmod +x $HOME/.docker/cli-plugins/docker-scout
Don’t forget to authorize the binary to be executable on macOS
xattr -d com.apple.quarantine $HOME/.docker/cli-plugins/docker-scout
Integrating Docker Scout with GitHub Actions
GitHub Actions is a powerful CI/CD (Continuous Integration/Continuous Deployment) platform provided by GitHub. It allows developers to automate their workflows, build and test their code, and deploy applications seamlessly. By integrating Docker Scout with GitHub Actions, developers can enhance the security and quality of their containerized applications. In this article, we will explore how to integrate Docker Scout with GitHub Actions step-by-step.
Step 1: Set up a GitHub repository
To get started, create a new GitHub repository or navigate to an existing one where you want to integrate Docker Scout. Make sure you have the necessary permissions to modify the repository’s settings and workflows.
Step 2: Create a GitHub Actions workflow
Inside your repository, navigate to the “.github/workflows” directory (create it if it doesn’t exist). Create a new YAML file, e.g., “docker-scout.yml,” and open it for editing. This file will define your GitHub Actions workflow.
Step 3: Define the workflow trigger
Add the following code to the beginning of your YAML file to define the trigger for the workflow:
name: Docker Scout Integration
on:
push:
branches:
- main
pull_request:
branches:
- '*'
This configuration triggers the workflow on every push to the ‘main’ branch and for any pull request.
Step 4: Set up the workflow environment
Next, you need to define the environment variables required for the workflow. Add the following code to your YAML file:
env:
REGISTRY: docker.io
IMAGE_NAME: ${{ github.repository }}
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
These environment variables specify the Docker registry, the image name (derived from the repository), and the commit SHA for the pull request or push event.
Step 5: Define the workflow jobs
Inside the YAML file, you can define one or more jobs that will be executed as part of the workflow. For Docker Scout integration, we’ll focus on the ‘build’ job.
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
with:
ref: ${{ env.SHA }}
- name: Setup Docker buildx
uses: docker/setup-buildx-action@v2.5.0
with:
driver-opts: |
image=moby/buildkit:v0.10.6
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v2.1.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PAT }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v4.4.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.revision=${{ env.SHA }}
tags: |
type=edge,branch=$repo.default_branch
type=semver,pattern=v{{version}}
type=sha,prefix=,suffix=,format=short
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v4.0.0
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Docker Scout
id: docker-scout
if: ${{ github.event_name == 'pull_request' }}
uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
with:
command: cves
image: ${{ steps.meta.outputs.tags }}
only-severities: critical,high
exit-code: true
In this job, the following steps are performed:
- Checking out the repository code.
- Setting up Docker buildx for building multi-arch images.
- Logging into the Docker registry.
- Extracting Docker metadata using the docker/metadata-action.
- Building and pushing the Docker image using the docker/build-push-action.
- Running Docker Scout using the docker/scout-action to scan for CVEs (Common Vulnerabilities and Exposures) in the image.
Note that the Docker Scout step is conditionally executed only for pull requests to avoid unnecessary scans for push events.
Step 6: Save and commit the workflow file
Save the YAML file and commit it to the repository. GitHub Actions will automatically pick up the file and start executing the workflow whenever the defined triggers are met.
Step 7: Configure secrets
To securely authenticate with Docker registries, you need to configure secrets in your GitHub repository. Secrets are encrypted environment variables that can be used in workflows. In this case, you’ll need to set up the following secrets:
DOCKER_USER: The username for the Docker registry.
DOCKER_PAT: The personal access token (PAT) or password for the Docker registry.
To set up the secrets, go to your repository’s settings, navigate to the “Secrets” tab, and add the secrets with their respective values.
Use this workflow file and try it out.
Conclusion
Integrating Docker Scout with GitHub Actions brings enhanced security and software supply chain insights to your CI/CD pipelines. By following the steps outlined in this article, you can seamlessly integrate Docker Scout into your GitHub repository’s workflows. This integration enables the automated scanning of container images for vulnerabilities, ensuring that your applications are built on secure foundations. Embracing this integration can significantly improve the quality and security of your Docker-based projects, providing peace of mind to both developers and end-users.
