-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker scout is misreading base image version number #84
Comments
Thanks for the feedback, we probably need to make it more clear what's happening here and would welcome feedback about how to clarify this further. If you don't build your image with full provenance attestations, Docker Scout cannot know for certain which base image tag you used, and instead makes a best guess on your base image based on the digest, which might be wrong. There are 2 ways around this:
|
@aelgasser @mikeparker Docker Scout's recommendation might be based on several factors, such as popularity, stability, or fewer detected vulnerabilities in the recommended base image. However, this might not always align with the need to stay on the latest version for features or security patches.
let me know, if the above helps |
I just started looking into docker scout and ran it over one of my Golang based images and found an issue that could be blocking if run in a CI/CD pipeline.
it can be reproduced with this dockerfile
As of today (2024-01-09) 1.21-alpine is the latest tag, this is important.
Then use the following command to build an image:
docker build --pull --force-rm -t test_scout:latest .
And finally run docker scout to check for any vulnerability with its various options:
First, out of precaution, clear docker scout's cache with
docker scout cache prune --sboms
Then
docker scout quickview test_scout:latest
gives:And
docker scout recommendations test_scout:latest
gives:From what I read here (or maybe I misinterpreting the result), docker scout seems to suggest I should 'change' my base image to 1.20-alpine which is older than the 1.21-alpine I use. To me this could create false positives in CI/CD contexts and exceptions to document when we are dealing with customers requesting image audits.
The text was updated successfully, but these errors were encountered: