Skip to content

docker scout #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 29 commits into
base: main
Choose a base branch
from
Open

docker scout #199

wants to merge 29 commits into from

Conversation

@mathieu-benoit
Copy link
Owner

@mathieu-benoit mathieu-benoit commented Nov 21, 2025
edited
Loading

  • Pre-install docker scout in DevContainer
  • Use docker scout quickview|compare in PR
  • Add --sbom=true --provenance=true in docker build

Before:

docker scout quickview test:local
    ✓ Image stored for indexing
    ✓ Indexed 11 packages
    ✓ Provenance obtained from attestation

    i Base image was auto-detected. To get more accurate results, build images with max-mode provenance attestations.
      Review docs.docker.com ↗ for more information.

  Target   │  test:local    │    0C     0H     0M     1L
    digest │  60c7bf78b862  │

After, with --sbom=true --provenance=true:

docker scout quickview test:local
    ✓ Image stored for indexing
    ✓ SBOM obtained from attestation, 9 packages found
    ✓ Provenance obtained from attestation
    ✓ Pulled

  Target   │  test:local    │    0C     0H     0M     1L
    digest │  96d9021af8df  │

@mathieu-benoit
docker scout
b6b4bcf
@mathieu-benoit
manual installation of docker scout
7839ab8
@mathieu-benoit
docker login in CI
33b50b2
@mathieu-benoit
quickview
3884658
@mathieu-benoit
fix image name
20f5e9c
@mathieu-benoit
manual docker scout command
1371ae0
@mathieu-benoit
Add Docker extensions in DevContainer
0de3d9c
@mathieu-benoit
--sbom=true --provenance=true
3eff192
@mathieu-benoit
Fix make build-container
03668f2
@mathieu-benoit
setup-buildx-action before build
e567199
@mathieu-benoit
test
df24a4e
@mathieu-benoit
make buildx-container
f030187
@mathieu-benoit
docker scout version
cdfed7b
@mathieu-benoit
Fix image name
b91ed17
@mathieu-benoit
buildx --attest type=provenance,mode=max
5469ae7
@mathieu-benoit
local://
b3fb7e5
@mathieu-benoit
local://
7a61524
@mathieu-benoit
--load
88a59cb
@mathieu-benoit
cleanup
9012f65
@mathieu-benoit
Fix docker build
dca5902
@mathieu-benoit
docker images
c6bb604
@mathieu-benoit
load: true
f896de1
@mathieu-benoit
docker/setup-qemu-action
46b31e0
@mathieu-benoit
outputs: type=cacheonly
ab1a14e
@mathieu-benoit
cache-from |to
d7ef335
@mathieu-benoit
load: true
edac8b5
@mathieu-benoit
no multi-arch
7798e63
@mathieu-benoit
"containerd-snapshotter": true
832f810
@mathieu-benoit
Merge branch 'main' into scan-and-compare
32322a9
@mathieu-benoit
Copy link
Owner Author

mathieu-benoit commented Nov 22, 2025

As per https://docs.docker.com/build/ci/github-actions/attestations/#sbom:

Note that adding attestations to an image means you must push the image to a registry directly, as opposed to loading the image to the local image store of the runner. This is because the local image store doesn't support loading images with attestations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mathieu-benoit