Home Explore Blog CI



docker

2nd chunk of `content/manuals/scout/policy/_index.md`
2862090e6eb5a4cf25f93e9eb5ccd4d36ab1899a10e589ed0000000100000fe8
- [Supply Chain Attestations](#supply-chain-attestations)
- [Default Non-Root User](#default-non-root-user)
- [Approved Base Images](#approved-base-images)
- [SonarQube Quality Gates](#sonarqube-quality-gates)

Docker Scout automatically provides default policies for repositories where it
is enabled, except for the SonarQube Quality Gates policy, which requires
[integration with SonarQube](/manuals/scout/integrations/code-quality/sonarqube.md)
before use.

You can create custom policies from any of the supported policy types, or
delete a default policy if it isn't applicable to your project. For more
information, refer to [Configure policies](./configure.md).

<!-- vale Docker.HeadingSentenceCase = NO -->

### Severity-Based Vulnerability

The **Severity-Based Vulnerability** policy type checks whether your
artifacts are exposed to known vulnerabilities.

By default, this policy only flags critical and high severity vulnerabilities
where there's a fix version available. Essentially, this means that there's an
easy fix that you can deploy for images that fail this policy: upgrade the
vulnerable package to a version containing a fix for the vulnerability.

Images are deemed non-compliant with this policy if they contain one or more
vulnerabilities that fall outside the specified policy criteria.

You can configure the parameters of this policy by creating a custom version of the policy.
The following policy parameters are configurable in a custom version:

- **Age**: The minimum number of days since the vulnerability was first published

  The rationale for only flagging vulnerabilities of a certain minimum age is
  that newly discovered vulnerabilities shouldn't cause your evaluations to
  fail until you've had a chance to address them.

<!-- vale Vale.Spelling = NO -->
- **Severities**: Severity levels to consider (default: `Critical, High`)
<!-- vale Vale.Spelling = YES -->

- **Fixable vulnerabilities only**: Whether or not to only report
  vulnerabilities with a fix version available (enabled by default).

- **Package types**: List of package types to consider.

  This option lets you specify the package types, as [PURL package type definitions](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst),
  that you want to include in the policy evaluation. By default, the policy
  considers all package types.

For more information about configuring policies, see [Configure policies](./configure.md).

### Compliant Licenses

The **Compliant Licenses** policy type checks whether your images contain
packages distributed under an inappropriate license. Images are considered
non-compliant if they contain one or more packages with such a license.

You can configure the list of licenses that this policy should look out for,
and add exceptions by specifying an allow-list (in the form of PURLs).
See [Configure policies](./configure.md).

### Up-to-Date Base Images

The **Up-to-Date Base Images** policy type checks whether the base images you
use are up-to-date.

Images are considered non-compliant with this policy if the tag you used to
build your image points to a different digest than what you're using. If
there's a mismatch in digests, that means the base image you're using is out of
date.

Your images need provenance attestations for this policy to successfully
evaluate. For more information, see [No base image data](#no-base-image-data).

### High-Profile Vulnerabilities

The **High-Profile Vulnerabilities** policy type checks whether your images
contain vulnerabilities from Docker Scout’s curated list. This list is kept
up-to-date with newly disclosed vulnerabilities that are widely recognized to
be risky.

The list includes the following vulnerabilities:

- [CVE-2014-0160 (OpenSSL Heartbleed)](https://scout.docker.com/v/CVE-2014-0160)
- [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228)
- [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545)
- [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487)

Title: Docker Scout Policy Types: Vulnerabilities, Licenses, and More
Summary
Docker Scout offers several policy types to enhance supply chain security. The Severity-Based Vulnerability policy flags images with critical or high severity vulnerabilities that have available fixes, configurable by age, severities, fixable status, and package types. The Compliant Licenses policy checks for inappropriate licenses, allowing users to configure a list of prohibited licenses and exceptions via an allow-list. The Up-to-Date Base Images policy verifies base image freshness by comparing the image tag digest, requiring provenance attestations. Lastly, the High-Profile Vulnerabilities policy identifies images containing vulnerabilities from Docker Scout's curated list, like Heartbleed and Log4Shell.