Skip to content

Commit

Permalink
Merge pull request #20229 from dvdksn/scout-overview-pages
Browse files Browse the repository at this point in the history
scout overview pages
  • Loading branch information
dvdksn authored Jun 24, 2024
2 parents 5871e24 + 64b844c commit ea34ef6
Show file tree
Hide file tree
Showing 25 changed files with 218 additions and 81 deletions.
2 changes: 1 addition & 1 deletion content/build/attestations/sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -226,7 +226,7 @@ $ docker buildx build --attest type=sbom,generator=<image> .
> **Tip**
>
> The Docker Scout SBOM generator is available. See
> [Docker Scout SBOMs](../../scout/sbom.md#attest).
> [Docker Scout SBOMs](/scout/how-tos/view-create-sboms.md).
{ .tip }

## SBOM attestation example
Expand Down
6 changes: 3 additions & 3 deletions content/desktop/use-desktop/images.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ To inspect an image, select the image row. Inspecting an image displays detailed
- Vulnerabilities found
- Packages inside the image

[Docker Scout](../../scout/index.md) powers this vulnerability information.
For more information about this view, see [Image details view](../../scout/image-details-view.md)
[Docker Scout](/scout/_index.md) powers this vulnerability information.
For more information about this view, see [Image details view](/scout/explore/image-details-view.md)

## Pull the latest image from Docker Hub

Expand Down Expand Up @@ -102,4 +102,4 @@ Hovering over an image tag reveals two options:

## Additional resources

- [What is an image?](../../guides/docker-concepts/the-basics/what-is-an-image.md)
- [What is an image?](../../guides/docker-concepts/the-basics/what-is-an-image.md)
2 changes: 1 addition & 1 deletion content/docker-hub/vulnerability-scanning.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ To view the vulnerability report:
![Vulnerability scan details](images/vuln-scan-details.png)

For more information on this view, see
[Image details view](../scout/image-details-view.md).
[Image details view](/scout/explore/image-details-view.md).

### Inspect vulnerabilities

Expand Down
61 changes: 61 additions & 0 deletions content/scout/concepts/s3c.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
---
title: Software supply chain security
description: Learn about software supply chain security (S3C), what it means, and why it is important.
keywords: docker scout, secure, software, supply, chain, security, sssc, sscs, s3c
---

The term "software supply chain" refers to the end-to-end process of developing
and delivering software, from the development to deployment and maintenance.
Software supply chain security, or "S3C" for short, is the practice for
protecting the components and processes of the supply chain.

S3C is a fundamental change in how organizations approach software security.
Traditionally in the software industry, security and compliance has been mostly
an afterthought, left to the software delivery or release phase. With S3C,
security is integrated into the entire software development lifecycle, from the
inner loop of development and testing, to the outer loop of shipping and
monitoring.

Following industry best practices for software supply chain conduct is
important because it helps organizations protect their software from security
threats, compliance risks, and other vulnerabilities. Implementing a software
supply chain security framework improves visibility, collaboration, and
traceability of a project across stakeholders. This helps organizations detect,
respond to, and remediate threats more effectively.

## Securing the software supply chain

Building a secure software supply chain involves several key steps, such as:

- Identify the software components and dependencies you use to build and run
your applications.
- Automate security testing throughout the software development lifecycle.
- Monitor your software supply chain for security threats.
- Implement security policies that govern how software is built, and the
components it contains.

Managing the software supply chain is a complex task, especially in the modern
day where software is built using multiple components from different sources.
Organizations need to have a clear understanding of the software components
they use, and the security risks associated with them.

## Docker Scout

Docker Scout is a platform designed to help organizations secure their software
supply chain. It provides tools and services for identifying and managing
software assets and policies, and automated remediation of security threats.

Unlike traditional security tools that focus on scheduled, point-in-time scans
at specific stages in the software development lifecycle, Docker Scout uses a
modern event-driven model that spans the entire software supply chain. This
means that when a new vulnerability affecting your images is disclosed, your
updated risk assessment is available within seconds, and earlier in the
development process.

Docker Scout works by analyzing the composition of your images to create a
[Software Bill of Materials (SBOM)](/scout/concepts/sbom.md). The SBOM is
cross-referenced against the security advisories to identify CVEs that affect
your images. Docker Scout integrates with [over 20 different security
advisories](/scout/deep-dive/advisory-db-sources.md), and updates its
vulnerability database in real-time. This ensures that your security posture is
represented using the latest available information.
50 changes: 50 additions & 0 deletions content/scout/concepts/sbom.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
title: Software Bill of Materials
description: Learn about Software Bill of Materials (SBOM) and how Docker Scout uses it.
keywords: scout, sbom, software bill of materials, analysis, composition
---

A Bill of Materials (BOM) is a list of materials, parts, and the quantities of
each needed to manufacture a product. For example, a BOM for a computer might
list the motherboard, CPU, RAM, power supply, storage devices, case, and other
components, along with the quantities of each that are needed to build the
computer.

A Software Bill of Materials (SBOM) is a list of all the components that make
up a piece of software. This includes open source and third-party components,
as well as any custom code that has been written for the software. An SBOM is
similar to a BOM for a physical product, but for software.

In the context of software supply chain security, SBOMs can help with
identifying and mitigating security and compliance risks in software. By
knowing exactly what components are used in a piece of software, you can
quickly identify and patch vulnerabilities in your components, or determine if
a component is licensed in a way that is incompatible with your project.

## Contents of an SBOM

An SBOM typically includes the following information:

- The name of the software, such as the name of a library or framework, that
the SBOM describes.
- The version of the software.
- The license under which the software is distributed.
- A list of other components that the software depends on.

## How Docker Scout uses SBOMs

Docker Scout uses SBOMs to determine the components that are used in a Docker
image. When you analyze an image, Docker Scout will either use the SBOM that is
attached to the image (using [attestations](/build/attestations/_index.md)), or
it will generate an SBOM on the fly by analyzing the contents of the image.

The SBOM is cross-referenced with the [advisory database](/scout/deep-dive/advisory-db-sources.md)
to determine if any of the components in the image have known vulnerabilities.

## Additional resources

To learn more about generating SBOMs and how SBOMs are used in Docker Scout,
see:

- [Image analysis in Docker Scout](/scout/explore/analysis.md)
- [View and create SBOMs](/scout/how-tos/view-create-sboms.md)
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ description: More details on the advisory database and CVE-to-package matching s
behind Docker Scout analysis.
keywords: scout, scanning, analysis, vulnerabilities, Hub, supply chain, security, packages, repositories, ecosystem
title: Advisory database sources and matching service
aliases:
/scout/advisory-db-sources/
---

Reliable information sources are key for Docker Scout's ability to
Expand Down Expand Up @@ -53,7 +55,7 @@ The database stores the Software Bill of Materials (SBOM) and other metadata abo
When a security advisory has new information about a vulnerability,
your SBOM is cross-referenced with the CVE information to detect how it affects you.

For more details on how image analysis works, see the [image analysis page](./image-analysis.md).
For more details on how image analysis works, see the [image analysis page](/scout/explore/analysis.md).

## Vulnerability matching

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ keywords: |
materials, config, ports, labels, os, registry, timestamp, digest, layers,
architecture, license, dependencies, base image
title: Data collection and storage in Docker Scout
aliases:
/scout/data-handling/
---

Docker Scout's image analysis works by collecting metadata from the container
Expand Down Expand Up @@ -68,7 +70,7 @@ and packages, and application-level packages such as maven, npm, and so on.
### Environment metadata

If you integrate Docker Scout with your runtime environment via the
[Sysdig integration](./integrations/environment/sysdig.md),
[Sysdig integration](/scout/integrations/environment/sysdig.md),
Docker Scout collects the following data points about your deployments:

- Kubernetes namespace
Expand All @@ -83,7 +85,7 @@ Docker Scout platform; it's only used to run the analysis.

### Provenance

For images with [provenance attestations](../build/attestations/slsa-provenance.md),
For images with [provenance attestations](/build/attestations/slsa-provenance.md),
Docker Scout stores the following data in addition to the SBOM:

- Materials
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,15 @@ description:
keywords: scout, scanning, vulnerabilities, supply chain, security, analysis
aliases:
- /scout/advanced-image-analysis/
- /scout/image-analysis/
---

When you activate image analysis for a repository,
Docker Scout automatically analyzes new images that you push to that repository.

Image analysis extracts the Software Bill of Material (SBOM)
and other image metadata,and evaluates it against vulnerability data from
[security advisories](./advisory-db-sources.md).
[security advisories](/scout/deep-dive/advisory-db-sources.md).

If you run image analysis as a one-off task using the CLI or Docker Desktop,
Docker Scout won't store any data about your image.
Expand All @@ -25,19 +26,19 @@ This dynamic evaluation means there's no need to re-analyze images when new CVE

Docker Scout image analysis is available by default for Docker Hub repositories.
You can also integrate third-party registries and other services. To learn more,
see [Integrating Docker Scout with other systems](./integrations/_index.md).
see [Integrating Docker Scout with other systems](/scout/integrations/_index.md).

## Activate Docker Scout on a repository

The free tier of Docker Scout lets you use Docker Scout for up to 3
repositories per Docker organization. You can update your Docker Scout plan if
you need additional repositories, see [Docker Scout
billing](../billing/scout-billing.md).
billing](/billing/scout-billing.md).

Before you can activate image analysis on a repository in a third-party registry,
the registry must be integrated with Docker Scout for your Docker organization.
Docker Hub is integrated by default. For more information, see
See [Container registry integrations](./integrations/_index.md#container-registries)
See [Container registry integrations](/scout/integrations/_index.md#container-registries)

> **Note**
>
Expand Down Expand Up @@ -74,13 +75,13 @@ analysis is activated.
```

Building with the `--provenance=true` and `--sbom=true` flags attaches
[build attestations](../build/attestations/_index.md) to the image. Docker
[build attestations](/build/attestations/_index.md) to the image. Docker
Scout uses attestations to provide more fine-grained analysis results.

> **Note**
>
> The default `docker` driver only supports build attestations if you use the
> [containerd image store](../desktop/containerd.md).
> [containerd image store](/desktop/containerd.md).
3. Go to the [Images page](https://scout.docker.com/reports/images) in the Docker Scout Dashboard.

Expand Down Expand Up @@ -182,13 +183,13 @@ $ docker scout cves --format only-packages --only-vuln-packages \
For more information about these commands and how to use them, refer to the CLI
reference documentation:

- [`docker scout quickview`](../reference/cli/docker/scout/quickview.md)
- [`docker scout cves`](../reference/cli/docker/scout/cves.md)
- [`docker scout quickview`](/reference/cli/docker/scout/quickview.md)
- [`docker scout cves`](/reference/cli/docker/scout/cves.md)

## Vulnerability severity assessment

Docker Scout assigns a severity rating to vulnerabilities based on
vulnerability data from [advisory sources](./advisory-db-sources.md).
vulnerability data from [advisory sources](/scout/deep-dive/advisory-db-sources.md).
Advisories are ranked and prioritized depending on the type of package that's
affected by a vulnerability. For example, if a vulnerability affects an OS
package, the severity level assigned by the distribution maintainer is
Expand Down Expand Up @@ -230,7 +231,7 @@ Image analysis on the Docker Scout platform, and analysis triggered by backgroun
indexing in Docker Desktop, has an image file size limit of 10 GB (uncompressed).
To analyze images larger than that, you can either:

- Attach [SBOM attestations](../build/attestations/sbom.md) at build-time
- Attach [SBOM attestations](/build/attestations/sbom.md) at build-time
- Use the [CLI](#cli) to analyze the image locally

Images analyzed locally with the CLI and images with SBOM attestations
Expand Down
23 changes: 12 additions & 11 deletions content/scout/dashboard.md → content/scout/explore/dashboard.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ title: Dashboard
aliases:
- /scout/reports/
- /scout/web-app/
- /scout/dashboard/
---

The [Docker Scout Dashboard](https://scout.docker.com/) helps you share the
Expand All @@ -17,19 +18,19 @@ vulnerabilities and issues they need to focus on.

## Overview

![A screenshot of the Docker Scout Dashboard overview](./images/dashboard-overview.webp?border=true)
![A screenshot of the Docker Scout Dashboard overview](../images/dashboard-overview.webp?border=true)

The **Overview** tab provides a summary for the repositories in the selected
organization.

At the top of this page, you can select which **Environment** to view.
By default, the most recently pushed images are shown. To learn more about
environments, see [Environment monitoring](./integrations/environment/_index.md).
environments, see [Environment monitoring](/scout/integrations/environment/_index.md).

The **Policy** boxes show your current compliance rating for each policy, and a
trend indication for the selected environment. The trend describes the policy
delta for the most recent images compared to the previous version.
For more information about policies, see [Policy Evaluation](./policy/_index.md).
For more information about policies, see [Policy Evaluation](/scout/policy/_index.md).

The vulnerability chart shows the total number of vulnerabilities for images in
the selected environment over time. You can configure the timescale for the
Expand All @@ -52,14 +53,14 @@ The **Policies** view shows a breakdown of policy compliance for all of the
images in the selected organization and environment. You can use the **Image**
drop-down menu to view a policy breakdown for a specific environment.

For more information about policies, see [Policy Evaluation](./policy/_index.md).
For more information about policies, see [Policy Evaluation](/scout/policy/_index.md).

## Images

The **Images** view shows all images in Scout-enabled repositories for the selected environment.
You can filter the list by selecting a different environment, or by repository name using the text filter.

![Screenshot of the images view](./images/dashboard-images.webp)
![Screenshot of the images view](../images/dashboard-images.webp)

For each repository, the list displays the following details:

Expand All @@ -79,7 +80,7 @@ This view contains two tabs that detail the composition and policy compliance fo
- **Policy status** shows the policy evaluation results for the selected image.
Here you also have links for details about the policy violations.

For more information about policy, see [Policy Evaluation](./policy/_index.md).
For more information about policy, see [Policy Evaluation](/scout/policy/_index.md).

- **Image layers** shows a breakdown of the image analysis results.
You can get a complete view of the vulnerabilities your image contains
Expand All @@ -90,7 +91,7 @@ This view contains two tabs that detail the composition and policy compliance fo
The **Vulnerabilities** view shows a list of all vulnerabilities for images in the organization.
This list includes details about CVE such as the severity and Common Vulnerability Scoring System (CVSS) score,
as well as whether there's a fix version available.
The CVSS score displayed here is the highest score out of all available [sources](./advisory-db-sources.md).
The CVSS score displayed here is the highest score out of all available [sources](/scout/deep-dive/advisory-db-sources.md).

Selecting the links on this page opens the vulnerability details page,
This page is a publicly visible page, and shows detailed information about a CVE.
Expand All @@ -105,7 +106,7 @@ affected by the CVE.
The **Integrations** page lets you create and manage your Docker Scout
integrations, such as environment integrations and registry integrations. For
more information on how to get started with integrations, see
[Integrating Docker Scout with other systems](./integrations/_index.md).
[Integrating Docker Scout with other systems](/scout/integrations/_index.md).

## Settings

Expand All @@ -123,15 +124,15 @@ included in your plan, compare it with other available plans, and change the
plan if you're an organization owner.

For more information about subscription plans, see
[Docker Scout subscriptions and features](../subscription/scout-details.md)
[Docker Scout subscriptions and features](/subscription/scout-details.md)

### Repository settings

When you enable Docker Scout for a repository,
Docker Scout analyzes new tags automatically when you push to that repository.
To enable repositories in Amazon ECR, Azure ACR, or other third-party registries,
you first need to integrate them.
See [Container registry integrations](./integrations/_index.md#container-registries)
See [Container registry integrations](/scout/integrations/_index.md#container-registries)

### Notification settings

Expand Down Expand Up @@ -184,7 +185,7 @@ The available notification settings are:
notifications using the browser API.

From this page, you can also go to the settings for Team collaboration
integrations, such as the [Slack](./integrations/team-collaboration/slack.md)
integrations, such as the [Slack](/scout/integrations/team-collaboration/slack.md)
integration.

You can also configure your notification settings in Docker Desktop by going
Expand Down
Loading

0 comments on commit ea34ef6

Please sign in to comment.