- [Supply Chain Attestations](#supply-chain-attestations)
- [Default Non-Root User](#default-non-root-user)
- [Approved Base Images](#approved-base-images)
- [SonarQube Quality Gates](#sonarqube-quality-gates)
Docker Scout automatically provides default policies for repositories where it
is enabled, except for the SonarQube Quality Gates policy, which requires
[integration with SonarQube](/manuals/scout/integrations/code-quality/sonarqube.md)
before use.
You can create custom policies from any of the supported policy types, or
delete a default policy if it isn't applicable to your project. For more
information, refer to [Configure policies](./configure.md).
<!-- vale Docker.HeadingSentenceCase = NO -->
### Severity-Based Vulnerability
The **Severity-Based Vulnerability** policy type checks whether your
artifacts are exposed to known vulnerabilities.
By default, this policy only flags critical and high severity vulnerabilities
where there's a fix version available. Essentially, this means that there's an
easy fix that you can deploy for images that fail this policy: upgrade the
vulnerable package to a version containing a fix for the vulnerability.
Images are deemed non-compliant with this policy if they contain one or more
vulnerabilities that fall outside the specified policy criteria.
You can configure the parameters of this policy by creating a custom version of the policy.
The following policy parameters are configurable in a custom version:
- **Age**: The minimum number of days since the vulnerability was first published
The rationale for only flagging vulnerabilities of a certain minimum age is
that newly discovered vulnerabilities shouldn't cause your evaluations to
fail until you've had a chance to address them.
<!-- vale Vale.Spelling = NO -->
- **Severities**: Severity levels to consider (default: `Critical, High`)
<!-- vale Vale.Spelling = YES -->
- **Fixable vulnerabilities only**: Whether or not to only report
vulnerabilities with a fix version available (enabled by default).
- **Package types**: List of package types to consider.
This option lets you specify the package types, as [PURL package type definitions](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst),
that you want to include in the policy evaluation. By default, the policy
considers all package types.
For more information about configuring policies, see [Configure policies](./configure.md).
### Compliant Licenses
The **Compliant Licenses** policy type checks whether your images contain
packages distributed under an inappropriate license. Images are considered
non-compliant if they contain one or more packages with such a license.
You can configure the list of licenses that this policy should look out for,
and add exceptions by specifying an allow-list (in the form of PURLs).
See [Configure policies](./configure.md).
### Up-to-Date Base Images
The **Up-to-Date Base Images** policy type checks whether the base images you
use are up-to-date.
Images are considered non-compliant with this policy if the tag you used to
build your image points to a different digest than what you're using. If
there's a mismatch in digests, that means the base image you're using is out of
date.
Your images need provenance attestations for this policy to successfully
evaluate. For more information, see [No base image data](#no-base-image-data).
### High-Profile Vulnerabilities
The **High-Profile Vulnerabilities** policy type checks whether your images
contain vulnerabilities from Docker Scout’s curated list. This list is kept
up-to-date with newly disclosed vulnerabilities that are widely recognized to
be risky.
The list includes the following vulnerabilities:
- [CVE-2014-0160 (OpenSSL Heartbleed)](https://scout.docker.com/v/CVE-2014-0160)
- [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228)
- [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545)
- [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487)