Part 6 CI: Installing docker scout
If you have been using Docker scan to check on CVE errors, well docker scan has been discontinued, and now we have Docker scout. I am using this in my gitlab scanner ubuntu server, since most of my build image are temporary store here.
To install the new Docker scout on Ubuntu, lets make a directory, then get the installation
mkdir ./docker/cli-plugins
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
After that you can use it, to start using docker scout, you need to perform docker login.
docker login
docker scout cve <image-name>
The usage of docker scout sve <image-name> itself will return the cve vulnerability. This covers both base image and application.
if you would like to ignore the base image use this
docker scout cve <image-name> --ignore-base
This comes back to the question, since my project has MEDIUM vulnerability, so how do i check. I am using node thus, i can check using
npm list -a
Unfortunately, nodemon at this point of writing is still on the same version as listed, thus for now I would not be able to update it.
So there you have it on how to use docker scout. You can integrate it within CI pipeline before testers test them, or for developers after performing docker build on your test machine.