-
Notifications
You must be signed in to change notification settings - Fork 7.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #20229 from dvdksn/scout-overview-pages
scout overview pages
- Loading branch information
Showing
25 changed files
with
218 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
--- | ||
title: Software supply chain security | ||
description: Learn about software supply chain security (S3C), what it means, and why it is important. | ||
keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c | ||
--- | ||
|
||
The term "software supply chain" refers to the end-to-end process of developing | ||
and delivering software, from the development to deployment and maintenance. | ||
Software supply chain security, or "S3C" for short, is the practice for | ||
protecting the components and processes of the supply chain. | ||
|
||
S3C is a fundamental change in how organizations approach software security. | ||
Traditionally in the software industry, security and compliance has been mostly | ||
an afterthought, left to the software delivery or release phase. With S3C, | ||
security is integrated into the entire software development lifecycle, from the | ||
inner loop of development and testing, to the outer loop of shipping and | ||
monitoring. | ||
|
||
Following industry best practices for software supply chain conduct is | ||
important because it helps organizations protect their software from security | ||
threats, compliance risks, and other vulnerabilities. Implementing a software | ||
supply chain security framework improves visibility, collaboration, and | ||
traceability of a project across stakeholders. This helps organizations detect, | ||
respond to, and remediate threats more effectively. | ||
|
||
## Securing the software supply chain | ||
|
||
Building a secure software supply chain involves several key steps, such as: | ||
|
||
- Identify the software components and dependencies you use to build and run | ||
your applications. | ||
- Automate security testing throughout the software development lifecycle. | ||
- Monitor your software supply chain for security threats. | ||
- Implement security policies that govern how software is built, and the | ||
components it contains. | ||
|
||
Managing the software supply chain is a complex task, especially in the modern | ||
day where software is built using multiple components from different sources. | ||
Organizations need to have a clear understanding of the software components | ||
they use, and the security risks associated with them. | ||
|
||
## Docker Scout | ||
|
||
Docker Scout is a platform designed to help organizations secure their software | ||
supply chain. It provides tools and services for identifying and managing | ||
software assets and policies, and automated remediation of security threats. | ||
|
||
Unlike traditional security tools that focus on scheduled, point-in-time scans | ||
at specific stages in the software development lifecycle, Docker Scout uses a | ||
modern event-driven model that spans the entire software supply chain. This | ||
means that when a new vulnerability affecting your images is disclosed, your | ||
updated risk assessment is available within seconds, and earlier in the | ||
development process. | ||
|
||
Docker Scout works by analyzing the composition of your images to create a | ||
[Software Bill of Materials (SBOM)](/scout/concepts/sbom.md). The SBOM is | ||
cross-referenced against the security advisories to identify CVEs that affect | ||
your images. Docker Scout integrates with [over 20 different security | ||
advisories](/scout/deep-dive/advisory-db-sources.md), and updates its | ||
vulnerability database in real-time. This ensures that your security posture is | ||
represented using the latest available information. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
--- | ||
title: Software Bill of Materials | ||
description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it. | ||
keywords: scout, sbom, software bill of materials, analysis, composition | ||
--- | ||
|
||
A Bill of Materials (BOM) is a list of materials, parts, and the quantities of | ||
each needed to manufacture a product. For example, a BOM for a computer might | ||
list the motherboard, CPU, RAM, power supply, storage devices, case, and other | ||
components, along with the quantities of each that are needed to build the | ||
computer. | ||
|
||
A Software Bill of Materials (SBOM) is a list of all the components that make | ||
up a piece of software. This includes open source and third-party components, | ||
as well as any custom code that has been written for the software. An SBOM is | ||
similar to a BOM for a physical product, but for software. | ||
|
||
In the context of software supply chain security, SBOMs can help with | ||
identifying and mitigating security and compliance risks in software. By | ||
knowing exactly what components are used in a piece of software, you can | ||
quickly identify and patch vulnerabilities in your components, or determine if | ||
a component is licensed in a way that is incompatible with your project. | ||
|
||
## Contents of an SBOM | ||
|
||
An SBOM typically includes the following information: | ||
|
||
- The name of the software, such as the name of a library or framework, that | ||
the SBOM describes. | ||
- The version of the software. | ||
- The license under which the software is distributed. | ||
- A list of other components that the software depends on. | ||
|
||
## How Docker Scout uses SBOMs | ||
|
||
Docker Scout uses SBOMs to determine the components that are used in a Docker | ||
image. When you analyze an image, Docker Scout will either use the SBOM that is | ||
attached to the image (using [attestations](/build/attestations/_index.md)), or | ||
it will generate an SBOM on the fly by analyzing the contents of the image. | ||
|
||
The SBOM is cross-referenced with the [advisory database](/scout/deep-dive/advisory-db-sources.md) | ||
to determine if any of the components in the image have known vulnerabilities. | ||
|
||
## Additional resources | ||
|
||
To learn more about generating SBOMs and how SBOMs are used in Docker Scout, | ||
see: | ||
|
||
- [Image analysis in Docker Scout](/scout/explore/analysis.md) | ||
- [View and create SBOMs](/scout/how-tos/view-create-sboms.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.