Home Explore Blog CI



docker
3rd chunk of `content/manuals/scout/policy/remediation.md`
fc69e507f792596be0f3ecb4d26992c44e8ebe9093edf411000000010000085f
are listed as **Quick fixes**. Quick fixes are usually actions that provide a
temporary solution.

The side panel may also contain one or more help sections related to the
available recommendations.

## Up-to-Date Base Images remediation

The **Up-to-Date Base Images** policy checks whether the base image you use is
up-to-date. The recommended actions displayed in the remediation side panel
depend on how much information Docker Scout has about your image. The more
information that's available, the better the recommendations.

The following scenarios outline the different recommendations depending on the
information available about the image.

### No provenance attestations

For Docker Scout to be able to evaluate this policy, you must add [provenance
attestations](/manuals/build/metadata/attestations/slsa-provenance.md) to your image. If
your image doesn't have provenance attestations, compliance is undeterminable.

<!--
  TODO(dvdksn): no support for the following, yet

  When provenance attestations are unavailable, Docker Scout provides generic,
  best-effort recommendations in the remediation side panel. These
  recommendations estimate your base using information from image analysis
  results. The base image version is unknown, but you can manually select the
  version you use in the remediation side panel. This lets Docker Scout evaluate
  whether the base image detected in the image analysis is up-to-date with the
  version you selected.

  https://github.com/docker/docs/pull/18961#discussion_r1447186845
-->

### Provenance attestations available

With provenance attestations added, Docker Scout can correctly detect the base
image version that you're using. The version found in the attestations is
cross-referenced against the current version of the corresponding tag to
determine if it's up-to-date.

If there's a policy violation, the recommended actions show how to update your
base image version to the latest version, while also pinning the base image
version to a specific digest. For more information, see [Pin base image
versions](/manuals/build/building/best-practices.md#pin-base-image-versions).
Title: Recommendations for Up-to-Date Base Images Policy
Summary
The Up-to-Date Base Images policy relies on information Docker Scout has about an image to provide recommendations. If there are provenance attestations, Docker Scout can detect the base image version, cross-referencing it against the current version. If a violation occurs, recommendations show how to update the base image to the latest version and pin it to a specific digest. However, if there are no provenance attestations, compliance is undeterminable and users are asked to add them.