Search the Community

As we announced at DockerCon, we’re now providing a free Docker Scout Team subscription to all Docker-Sponsored Open Source (DSOS) program participants. If your open source project participates in the DSOS program, you can start using Docker Scout today. If your open source project is not in the Docker-Sponsored Open Source program, you can check the requirements and apply. For other customers, Docker Scout is already generally available. Refer to the Docker Scout product page to learn more. Why use Docker Scout? Docker Scout is a software supply chain solution designed to make it easier for developers to identify and fix supply chain issues before they hit production. To do this, Docker Scout: Gives developers a centralized view of the tools they already use to see all the critical information they need across the software supply chain Makes clear recommendations on how to address those issues, including for security issues and opportunities to improve reliability efforts Provides automation that highlights new defects, failures, or issues Docker Scout allows you to prevent and address flaws where they start. By identifying issues earlier in the software development lifecycle and displaying information in Docker Desktop and the command line, Docker Scout reduces interruptions and rework. Supply chain security is a big focus in software development, with attention from enterprises and governments. Software is complex, and when security, reliability, and stability issues arise, they’re often the result of an upstream library. So developers don’t just need to address issues in the software they write but also in the software their software uses. These concerns apply just as much to open source projects as proprietary software. But the focus on improving the software supply chain results in an unfunded mandate for open source developers. A research study by the Linux Foundation found that almost 25% of respondents said the cost of security gaps was “high” or “very high.” Most open source projects don’t have the budget to address these gaps. With Docker Scout, we can reduce the burden on open source projects. Conclusion At Docker, we understand the importance of helping open source communities improve their software supply chain. We see this as a mutually beneficial relationship with the open source community. A well-managed supply chain doesn’t just help the projects that produce open source software; it helps downstream consumers through to the end user. For more information, refer to the Docker Scout documentation. Learn more Join our “Improving Software Supply Chain Security for Open Source Projects” webinar on Wednesday, February 7, 2024 at 1 PM Eastern (1700 UTC). Watch on LinkedIn or on the Riverside streaming platform. Try Docker Scout. Looking to get up and running? Use our Quickstart guide. Vote on what’s next! Check out the Docker Scout public roadmap. Have questions? The Docker community is here to help. Not a part of DSOS? Apply now. View the full article

With the proliferation of open source components, integrity and reliability within the software supply chain are paramount. This article explores how Docker Scout policies serve as a catalyst, fostering collaboration between development and security teams to define and achieve an ideal application security posture for organizations. Let’s dive into the capabilities that make Docker Scout an indispensable asset in the pursuit of improved security. Step 1: Use Docker Scout policies for SecOps efficiency Docker Scout dashboards become a security team’s trusted companion, providing a seamless and intuitive interface to utilize out-of-the-box policies. These policies offer a rapid comparison between the ideal and current states of application security, effectively highlighting areas requiring attention. To give security teams a head start, these out-of-the-box policies come with default configurations that can be updated to reflect internal requirements and standards. Step 2: Gauge the impact of security policies Docker Scout dashboards are more than visual aids; they are powerful tools for understanding an organization’s current application security posture. Offering an overall summary and compliance status checks against defined standards enables security teams to gauge the impact of security policies. For example, the critical CVE policy showcases the percentage of images with no critical CVEs (Figure 1). Figure 1: Docker Scout policies showing conformance percentages. Step 3: Drill down for actionable insights Docker Scout dashboards offer an intuitive approach to analyzing information and gaining deeper insights. For example, selecting View details on any of the policies provides comprehensive information about nonconforming images. Moreover, it precisely indicates the location of vulnerabilities within an image. This user-friendly feature ensures that teams can identify problematic images with just a few clicks and understand the right next steps to initiate effective remediation (Figure 2). Figure 2: Detailed view provides the non-conformant images and associated vulnerabilities. Step 4: Use Docker Scout CLI at the point of development for quick feedback Docker Scout becomes an integral part of developers’ workflows, allowing them to work seamlessly with their preferred tools, such as the CLI. For example, developers can run a simple docker scout policy command in the CLI to receive instant feedback on image compliance with company policies. This integration significantly reduces feedback loops, saving valuable time and boosting developer productivity (Figure 3). Figure 3: Output of scout policy command showing conformance status at the developer workstation. Step 5: Get recommendations for seamless issue resolution Docker Scout goes beyond merely identifying issues; it provides actionable recommendations for developers. For example, running the docker scout recommendations command offers easy-to-understand next steps (Figure 4). Developers can now swiftly address issues, such as updating a base image, without needing to scour the web for solutions. Docker Scout simplifies the process, allowing developers to jump into their preferred workflows with confidence. Figure 4: Output of Docker Scout recommendations command showing the next best action for the developer to remediate the issues. Conclusion Docker Scout is more than a security product — it’s a business enabler. Docker Scout’s integrated solutions enhance developer productivity and empower cross-functional teams to confidently deliver secure applications to production faster. By seamlessly bringing together the development and security teams, Docker Scout policies become a driving force in achieving a secure and streamlined software development lifecycle. Elevate your security efforts with Docker Scout policies and unlock collaborative efficiency. Get started with Docker Scout Get started with Docker Scout policies at scout.docker.com. Read Achieve Security and Compliance Goals with Policy Guardrails in Docker Scout. Visit the Docker Scout product page. Have questions? The Docker community is here to help. New to Docker? Get started. View the full article

At DockerCon 2023, we announced the General Availability (GA) of Docker Scout. We built Docker Scout for modern application teams, to help developers navigate the complexities and challenges of the software supply chain through actionable insights. The Scout GA release introduced several new capabilities, including a policy-driven evaluation mechanism, aka guardrails, that helps developers prioritize their insights to better align their work with organizational standards and industry best practices. In this article, we will walk through how Docker Scout policies enable teams to identify, prioritize, and fix their software quality issues at the point of creation — the developer inner loop (i.e., local development, building, and testing) — so that they can meet their organization’s security and reliability standards without compromising their speed of execution and innovation. Prioritizing problems When implementing software supply chain tools and processes, organizations often encounter a daunting wall of issues in their software. The sheer volume of these issues (ranging from vulnerabilities in code to malicious third-party dependencies, compromised build systems, and more) makes it difficult for development teams to balance shipping new features and improving their product. In such situations, policies play a crucial role in helping developers prioritize which problems to fix first by providing clear guidelines and criteria for resolution. Docker Scout’s out-of-the-box policies align with software supply chain best practices to maintain up-to-date base images, remove high-risk vulnerabilities, check for undesirable licenses, and look for other issues to help organizations maintain the quality of the artifacts they’re building or consuming (Figure 1). Figure 1: A summary of available policies in Docker Scout. These policies bring developers critical insights about their container images and enable them to focus on prioritizing new issues as they come in and to identify which pre-existing issues require their attention. In fact, developers can get these insights right from their local machine, where it is much faster and less expensive to iterate than later in the supply chain, such as in CI, or even later in production (Figure 2). Figure 2: Policy evaluation results in CLI. Make things better Docker Scout also adopts a more pragmatic and flexible approach when it comes to policy. Traditional policy solutions typically follow a binary pass/fail evaluation model that imposes rigid, one-size-fits-all targets, like mandating “fewer than 50 vulnerabilities” where failure is absolute. Such an approach overlooks nuanced situations or intermediate states, which can cause friction with developer workflows and become a main impediment to successful adoption of policies. In contrast, Docker Scout’s philosophy revolves around a simple premise: “Make things better.” This premise means the first step in every release is not to get developers to zero issues but to prevent regression. Our approach acknowledges that although projects with complex, extensive codebases have existing quality gaps, it is counterproductive to place undue pressure on developers to fix everything, everywhere, all at once. By using Docker Scout, developers can easily track what has worsened in their latest builds (from the website, the CLI and CI pipelines) and only improve the issues relevant to their policies (Figures 3 and 4). Figure 3: Outcomes driven by Docker Scout Policy. Figure 4: Pull Request diff from the Scout GitHub Action. But, finding and prioritizing the right problems is only half of the effort. For devs to truly “make things better,” the second step they must take is toward fixing these issues. According to a recent survey of 500 developers conducted by GitHub, the primary areas where development teams spend most of their time include writing code (32%) and identifying and addressing security vulnerabilities (31%). This is far from ideal, as it means that developers are spending less time driving innovation and user value. With Docker Scout, we aim to address this challenge head-on by providing developers access to automated, in-context remediation guidance (Figure 5). By actively suggesting upgrade and remediation paths, Docker Scout helps to bring teams’ container images back in line with policies, reducing their mean time to repair (MTTR) and freeing up more of their time to create value. Figure 5: Example scenario for the ‘Base images not up to date’ policy. While Docker Scout initially helps teams prioritize the direction of improvement, once all the existing critical software issues have been effectively addressed, developers can transition to employing the policies to achieve full compliance. This process ensures that going forward, all container images are void of the specific issues deemed vital to their organization’s code quality, compliance, and security goals. The Docker Scout team is excited to help our customers build software that meets the highest standards of safety, efficiency, and quality in a rapidly evolving ecosystem within the software supply chain. To get started with Docker Scout, visit our product page today. Learn more VIsit the Docker Scout product page. Looking to get up and running? Use our Quickstart guide. Vote on what’s next! Check out the Docker Scout public roadmap. Have questions? The Docker community is here to help. New to Docker? Get started. View the full article

We are excited to announce that Docker Scout General Availability (GA) now allows developers to continuously evaluate container images against a set of out-of-the-box policies, aligned with software supply chain best practices. These new capabilities also include a full suite of integrations enabling you to attain visibility from development into production. These updates strengthen Docker Scout’s position as integral to the software supply chain... View the full article