If you missed our webinar “Docker Scout: Live Demo, Insights, and Q&A” — or if you want to watch it again — it’s available on-demand. The audience had more questions than we had time to answer, so we’ve included additional Q&A below.
Many developers — and their employers — are concerned with securing their software supply chain. But what does that mean? Senior Developer Relations Manager Michael Irwin uses a coffee analogy (even though he doesn’t drink coffee himself!). To brew the best cup of coffee, you need many things: clean water, high-quality beans, and good equipment. For the beans and the water, you want assurances that they meet your standards. You might look for beans that have independent certification of their provenance and processing to make sure they are produced sustainably and ethically, for example.
The same concepts apply to producing software. You want to start with trusted content. Using images from Docker Official Images, Docker Verified Publishers, and Docker-Sponsored Open Source lets you know you’re building on a reliable, up-to-date foundation. From those images and your layered software libraries, Docker can build a software bill of materials (SBOM) that you can present to your customers to show exactly what went into making your application. And with Docker Scout, you can automatically check for known vulnerabilities, which helps you find and fix security issues before they reach your customers.
During the webinar, Senior Principal Software Engineer Christian Dupuis demonstrated using Docker Scout. He highlighted how Docker Scout utilizes SBOM and provenance attestation produced by BuildKit. He also showed Docker Scout indicating vulnerabilities by severity. Docker Scout doesn’t stop at showing vulnerabilities, it lets you know where the vulnerability is added to the image and provides suggestions for remediation.
The audience asked great questions during the live Q&A. Since we weren’t able to answer them all during the webinar, we want to take a moment to address them now.
What source does Docker Scout use to determine the CVEs?
Docker Scout gets vulnerability data from approximately 20 advisory sources. This includes Linux distributions and code repository platforms like Debian, Ubuntu, GitHub, GitLab, and other trustworthy providers of advisory metadata.
We constantly cross-reference the SBOM information stored in the Docker Scout system-of-record with advisory data. New vulnerability information is immediately reflected on Docker Desktop, in the Docker Scout CLI, and on scout.docker.com.
How much does Docker Scout cost?
Docker Scout has several different price tiers. You can start for free with up to 3 image repositories; if you need more, we also offer paid plans. The Docker Scout product page has a full comparison to help you pick the right option.
How do I add Docker Scout to my CI pipeline?
The documentation on Docker Scout has a dedicated section on CI integrations.
How can I contribute?
There are several ways you can engage with the product team behind Docker Scout and influence the roadmap:
- For feedback and issues about Docker Scout in the CLI, CI, Docker Desktop or scout.docker.com, open issues at https://github.com/docker/scout-cli.
- Learn more about the Docker Scout Design Partner Program.
What platforms are supported?
Docker Scout works on all supported operating systems. You can use Docker Scout in Docker Desktop version 4.17 or later or log in to scout.docker.com to see information across all of your Docker Hub images. Make sure you keep your Docker Desktop version up to date — we’re adding new features and capabilities in every release.
We also provide a Docker Scout CLI plugin. You can find instructions in the scout-cli GitHub repository.
How do I export a list of vulnerabilities?
You can use the Docker Scout CLI to export vulnerabilities into a SARIF file for further processing or export. You can read more about this in the Docker Engine documentation.
How does Docker Scout help if I’m already using scanning tools?
Docker Scout builds upon a system of record for the entire software development life cycle, so you can integrate it with other tools you use in your software delivery process. Talk to us to learn more.
Get started with Docker Scout
Developers want speed, security, and choice. Docker Scout helps improve developer efficiency and software security by detecting known vulnerabilities early. While it offers remediation suggestions, developers still have the choice in determining the best approach to addressing vulnerabilities. Get started today to see how Docker Scout helps you secure your software supply chain.