• Open Source Watch
  • Posts
  • Docker Scout Unveils Advanced Features to Bolster Software Supply Chain Integrity

Docker Scout Unveils Advanced Features to Bolster Software Supply Chain Integrity

Docker adds its own twist to software supply chain security. 

In a significant move to enhance the software supply chain, Docker has released Docker Scout. Scout is a unified container security solution. It's designed to help developers quickly identify and fix vulnerabilities in all repositories. The program does this by scanning all your locally stored images, Scout will also provide up-to-date vulnerability information as you build your images. In addition, it also analyzes image contents and generates a detailed report of packages and vulnerabilities that it detects.

After that, Scout will provide you with suggestions on how to address the vulnerabilities it detects. Not all vulnerabilities are equally bad. There's a big difference between security holes with a Common Vulnerability Scoring System score of 1.8 (low) and 9.8 (Critical) with red lights blazing.

Docker Scout is integrated throughout Docker user interfaces and the CLI. You can leverage it via Docker Hub, Docker Desktop, and Docker DevSecOps GitHub integration.

Essentially, Docker Scout is a tool that makes it easy for developers to view vulnerabilities found in Docker images. This will help ensure you don't deploy a container based on an image with known vulnerabilities. With security problems popping up, it seems every time you blink, this is a valuable trait.

Docker Scout's primary aim is to simplify the software supply chain management for developers crafting modern cloud-native applications. It offers real-time actionable insights, starting from the initial base image pulled to the git commit, CI pipeline, and the final deployment of workloads in production. Docker Scout capitalizes on its vast open ecosystem and the container runtime to provide developers with actionable insights.

The platform acts as the definitive record for the software supply chain. By integrating seamlessly with the rest of the Docker programmer family, it gives you a holistic view of their applications. This includes real-time insights, anomaly detection, and automated recommendations to enhance application integrity.

In addition, after talking to its customers, Docker has identified a growing trend: Developers are becoming more discerning about the content they use. Addressing this, Docker offers Docker Official Images, a handpicked set of repositories on Docker Hub. Docker plans to introduce more software supply chain metadata for these images in the upcoming months.

Docker Scout also emphasizes the importance of overseeing the entire software supply chain, rather than just focusing on policies for currently running container images. Docker Scout introduces a series of actionable insights and recommended workflows. It's integrated with Sysdig, JFrog Artifactory, Amazon Elastic Container Registry (ECR), BastionZero, GitHub, GitLab, CircleCI, and Jenkins. You can also use Snyk scans via a Docker Extension.

Addressing the limitations of current policy solutions, Docker Scout delves deeper into policy evaluation. It identifies subtle policy deviations and suggests remediation strategies, reducing Mean Time To Recovery (MTTR).

Docker Scout's vision is to empower developers to tailor policies to their specific needs. The platform now offers built-in policies to keep base images updated, monitor vulnerabilities, and oversee relevant licenses. Users can view aggregated policy results, enabling them to prioritize and delve deeper into specific policy changes.

So far, it's looking pretty good. As Dan Lorenc, CEO and co-founder of yop software supply chain security vendor Chainguard, creator of the open-source SigStore project, and someone who knows his way around software development and security, tweeted, "really impressed with the results of @Docker scout for CVE scanning. I've been monitoring the results against @AquaTrivy and @GrypeProject for a while now, and Scout is getting really good at removing false positives. It also catches @golang stdlib CVEs now, too!"

Lornenc added, "We constantly monitor the results of snyk, trivy, and grype today across all of our images and a big set of dockerhub ones. I've been spot-checking Scout since it came out, and the results are getting better and better quickly."

Once Docker Scout is integrated into the Docker-Sponsored Open Source (DSOS) program by the end of the year, members will be able to activate it on up to 100 repositories within their DSOS-approved namespace.

It's early days, but Scout is already looking like a tool you'll want in your software development toolkit. And, if you're already a Docker user, it's a no-brainer. You'll want to start using Scout today.

Pricing for Scout is $9 per image repository per month for 4+ repos, or $0 per repo up to 3 repos. You can be on Docker Personal (free plan) and purchase Scout at any level, But, you don’t need Docker Desktop to have the product. You can install its CLI from GitHub or just use it on Docker Hub. 

Noteworthy Linux and open-source stories: