Docker Scout Demo and Q&A

If you missed our webinar “ ” — or if you want to watch it again — it’s available on-demand. The aud

If you missed our webinar “ ” — or if you want to watch it again — it’s available on-demand. The audience had more questions than we had time to answer, so we’ve included additional Q&A below. Many developers — and their employers — are concerned with securing their software supply chain. But what does that mean? Senior Developer Relations Manager Michael Irwin uses a coffee analogy (even though he doesn’t drink coffee himself!). To brew the best cup of coffee, you need many things: clean water, high-quality beans, and good equipment. For the beans and the water, you want assurances that they meet your standards. You might look for beans that have independent certification of their provenance and processing to make sure they are produced sustainably and ethically, for example. The same concepts apply to producing software. You want to start with . Using images from , , and lets you know you’re building on a reliable, up-to-date foundation. From those images and your layered software libraries, Docker can build a that you can present to your customers to show exactly what went into making your application. And with , you can automatically check for known vulnerabilities, which helps you find and fix security issues before they reach your customers. During the webinar, Senior Principal Software Engineer Christian Dupuis demonstrated using Docker Scout. He highlighted how Docker Scout utilizes SBOM and provenance attestation produced by BuildKit. He also showed Docker Scout indicating vulnerabilities by severity. Docker Scout doesn’t stop at showing vulnerabilities, it lets you know where the vulnerability is added to the image and provides suggestions for remediation. The audience asked great questions during the live Q&A. Since we weren’t able to answer them all during the webinar, we want to take a moment to address them now. Docker Scout gets vulnerability data from approximately 20 advisory sources. This includes Linux distributions and code repository platforms like Debian, Ubuntu, GitHub, GitLab, and other trustworthy providers of advisory metadata. We constantly cross-reference the SBOM information stored in the Docker Scout system-of-record with advisory data. New vulnerability information is immediately reflected on , in the Docker Scout CLI, and on . Refer to the Docker pricing page to learn about what’s included in . The documentation on Docker Scout has a dedicated section on .  There are several ways you can engage with the product team behind Docker Scout and influence the roadmap: Docker Scout works on all supported operating systems. You can use Docker Scout in Docker Desktop version 4.17 or later or log in to to see information across all of your Docker Hub images. Make sure you keep your Docker Desktop version up to date — we’re adding new features and capabilities in every release. We also provide a Docker Scout CLI plugin. You can find instructions in the . You can use the Docker Scout CLI to export vulnerabilities into a SARIF file for further processing or export. You can read more about this in the . Docker Scout builds upon a system of record for the entire software development life cycle, so you can integrate it with other tools you use in your software delivery process. to learn more.  Developers want speed, security, and choice. Docker Scout helps improve developer efficiency and software security by detecting known vulnerabilities early. While it offers remediation suggestions, developers still have the choice in determining the best approach to addressing vulnerabilities. to see how Docker Scout helps you secure your software supply chain.