Home Explore Blog CI



docker
4th chunk of `content/manuals/scout/policy/remediation.md`
15d2d0fb4d6084f80f7fdb637928146fa38d85de6edf42410000000100000c36
  recommendations estimate your base using information from image analysis
  results. The base image version is unknown, but you can manually select the
  version you use in the remediation side panel. This lets Docker Scout evaluate
  whether the base image detected in the image analysis is up-to-date with the
  version you selected.

  https://github.com/docker/docs/pull/18961#discussion_r1447186845
-->

### Provenance attestations available

With provenance attestations added, Docker Scout can correctly detect the base
image version that you're using. The version found in the attestations is
cross-referenced against the current version of the corresponding tag to
determine if it's up-to-date.

If there's a policy violation, the recommended actions show how to update your
base image version to the latest version, while also pinning the base image
version to a specific digest. For more information, see [Pin base image
versions](/manuals/build/building/best-practices.md#pin-base-image-versions).

### GitHub integration enabled

If you're hosting the source code for your image on GitHub, you can enable the
[GitHub integration](../integrations/source-code-management/github.md). This
integration enables Docker Scout to provide even more useful remediation
advice, and lets you initiate remediation for violations directly from the
Docker Scout Dashboard.

With the GitHub integration enabled, you can use the remediation side panel to
raise a pull request on the GitHub repository of the image. The pull request
automatically updates the base image version in your Dockerfile to the
up-to-date version.

This automated remediation pins your base image to a specific digest, while
helping you stay up-to-date as new versions become available. Pinning the base
image to a digest is important for reproducibility, and helps avoid unwanted
changes from making their way into your supply chain.

For more information about base image pinning, see [Pin base image
versions](/manuals/build/building/best-practices.md#pin-base-image-versions).

<!--
  TODO(dvdksn): no support for the following, yet

  Enabling the GitHub integration also allows Docker Scout to visualize the
  remediation workflow in the Docker Scout Dashboard. Each step, from the pull
  request being raised to the image being deployed to an environment, is
  displayed in the remediation sidebar when inspecting the image.

  https://github.com/docker/docs/pull/18961#discussion_r1447189475
-->

## Supply Chain Attestations remediation

The default **Supply Chain Attestations** policy requires full provenance and
SBOM attestations on images. If your image is missing an attestation, or if an
attestation doesn't contain enough information, the policy is violated.

The recommendations available in the remediation side panel helps guide you to
what action you need to take to address the issues. For example, if your image
has a provenance attestation, but the attestation doesn't contain enough
information, you're recommended to re-build your image with
[`mode=max`](/manuals/build/metadata/attestations/slsa-provenance.md#max) provenance.
Title: Recommendations with Provenance Attestations and GitHub Integration for Base Images and Supply Chain Attestations
Summary
With provenance attestations, Docker Scout can detect the base image version and recommend updates. Enabling GitHub integration allows Docker Scout to raise pull requests that automatically update the base image version in the Dockerfile and pin it to a specific digest. The Supply Chain Attestations policy requires full provenance and SBOM attestations, and the remediation side panel guides users on how to address any issues.