scout-cli/docs/docker_scout_cves.yaml at ae39d729ca0dd2681f790dfc0ff3a0433a1b51e7 · docker/scout-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
command: docker scout cves
short: Display CVEs identified in a software artifact
long: |-
    The docker scout cves command analyzes a software artifact for vulnerabilities.

    If no image is specified, the most recently built image is used.

    The following artifact types are supported:

    - Images
    - OCI layout directories
    - Tarball archives, as created by docker save
    - Local directory or file
    - SPDX file or in-toto attestation file with SPDX predicate

    The tool analyzes the provided software artifact, and generates a vulnerability report.

    By default, the tool expects an image reference, such as:

    - redis
    - curlimages/curl:7.87.0
    - mcr.microsoft.com/dotnet/runtime:7.0

    If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory,
    or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

    - image:// (default) use a local image, or fall back to a registry lookup
    - local:// use an image from the local image store (don't do a registry lookup)
    - registry:// use an image from a registry (don't use a local image)
    - oci-dir:// use an OCI layout directory
    - archive:// use a tarball archive, as created by docker save
    - fs:// use a local directory or file
    - sbom:// use an SBOM as SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file
usage: docker scout cves [OPTIONS] [IMAGE|DIRECTORY|ARCHIVE]
pname: docker scout
plink: docker_scout.yaml
options:
    - option: details
      value_type: bool
      default_value: "false"
      description: Print details on default text output
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: env
      value_type: string
      description: Name of environment
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: epss
      value_type: bool
      default_value: "false"
      description: |
        Display the EPSS scores and organize the package's CVEs according to their EPSS score
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: epss-percentile
      value_type: float32
      default_value: "0"
      description: |
        Exclude CVEs with EPSS scores less than the specified percentile (0 to 1)
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: epss-score
      value_type: float32
      default_value: "0"
      description: |
        Exclude CVEs with EPSS scores less than the specified value (0 to 1)
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: exit-code
      shorthand: e
      value_type: bool
      default_value: "false"
      description: Return exit code '2' if vulnerabilities are detected
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: format
      value_type: string
      default_value: packages
      description: |-
        Output format of the generated vulnerability report:
        - packages: default output, plain text with vulnerabilities grouped by packages
        - sarif: json Sarif output
        - spdx: json SPDX output
        - gitlab: json GitLab output
        - markdown: markdown output (including some html tags like collapsible sections)
        - sbom: json SBOM output
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ignore-base
      value_type: bool
      default_value: "false"
      description: Filter out CVEs introduced from base image
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ignore-suppressed
      value_type: bool
      default_value: "false"
      description: |
        Filter CVEs found in Scout exceptions based on the specified exception scope
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: local
      value_type: bool
      default_value: "false"
      description: Local mode
      deprecated: false
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: local-vulndb
      value_type: string
      description: Local vulnerability database
      deprecated: false
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: locations
      value_type: bool
      default_value: "false"
      description: Print package locations including file paths and layer diff_id
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: multi-stage
      value_type: bool
      default_value: "false"
      description: Show packages from multi-stage Docker builds
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-base
      value_type: bool
      default_value: "false"
      description: Only show CVEs introduced by the base image
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-cisa-kev
      value_type: bool
      default_value: "false"
      description: Filter to CVEs listed in the CISA KEV catalog
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-cve-id
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of CVE ids (like CVE-2021-45105) to search for
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-fixed
      value_type: bool
      default_value: "false"
      description: Filter to fixable CVEs
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-metric
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of CVSS metrics (like AV:N or PR:L) to filter CVEs by
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-package
      value_type: stringSlice
      default_value: '[]'
      description: Comma separated regular expressions to filter packages by
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-package-type
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-severity
      value_type: stringSlice
      default_value: '[]'
      description: |
        Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-stage
      value_type: stringSlice
      default_value: '[]'
      description: Comma separated list of multi-stage Docker build stage names
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-unfixed
      value_type: bool
      default_value: "false"
      description: Filter to unfixed CVEs
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-vex-affected
      value_type: bool
      default_value: "false"
      description: Filter CVEs by VEX statements with status not affected
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: only-vuln-packages
      value_type: bool
      default_value: "false"
      description: |
        When used with --format=only-packages ignore packages with no vulnerabilities
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: org
      value_type: string
      description: Namespace of the Docker organization
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: output
      shorthand: o
      value_type: string
      description: Write the report to a file
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: platform
      value_type: string
      description: Platform of image to analyze
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: ref
      value_type: string
      description: |-
        Reference to use if the provided tarball contains multiple references.
        Can only be used with archive
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: stream
      value_type: string
      description: Name of stream
      deprecated: true
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: vex
      value_type: bool
      default_value: "false"
      description: Apply VEX statements to filter CVEs
      deprecated: true
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: vex-author
      value_type: stringSlice
      default_value: '[<.*@docker.com>]'
      description: List of VEX statement authors to accept
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: vex-location
      value_type: stringSlice
      default_value: '[]'
      description: File location of directory or file containing VEX statements
      deprecated: false
      hidden: false
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
inherited_options:
    - option: debug
      value_type: bool
      default_value: "false"
      description: Debug messages
      deprecated: false
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
    - option: verbose-debug
      value_type: bool
      default_value: "false"
      description: Verbose debug
      deprecated: false
      hidden: true
      experimental: false
      experimentalcli: false
      kubernetes: false
      swarm: false
examples: "  Display vulnerabilities for the most recently built image\n  $ docker scout cves\e[0m\n\n  Display vulnerabilities grouped by package\n  $ docker scout cves alpine\e[0m\n\n  Display vulnerabilities from a docker save tarball\n  $ docker save alpine > alpine.tar\e[0m\n  $ docker scout cves archive://alpine.tar\e[0m\n\n  Display vulnerabilities from an OCI directory\n  $ skopeo copy --override-os linux docker://alpine oci:alpine\e[0m\n  $ docker scout cves oci-dir://alpine\e[0m\n\n  Display vulnerabilities from the current directory\n  $ docker scout cves fs://.\e[0m\n\n  Export vulnerabilities to a SARIF JSON file\n  $ docker scout cves --format sarif --output alpine.sarif.json alpine\e[0m\n\n  Markdown output, including HTML tags. To be used in Pull Request comments for instance.\n  $ docker scout cves --format markdown alpine\e[0m\n\n  List all Go packages of the image that are vulnerable\n  $ docker scout cves --format only-packages --only-package-type golang --only-vuln-packages golang:1.18.0\e[0m\n\n  List vulnerabilities from an SPDX file\n  $ syft -o spdx-json alpine | docker scout cves sbom://\e[0m"
deprecated: false
experimental: false
experimentalcli: false
kubernetes: false
swarm: false