docker/scout-action (docker/scout-action)
### [`v1.4.1`](https://togithub.com/docker/scout-action/releases/tag/v1.4.1)
[Compare Source](https://togithub.com/docker/scout-action/compare/v1.4.0...v1.4.1)
*These notes include changes part of `v1.4.0`*
#### Highlights
- Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557)
- Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912
- Support cosign SBOM attestations
- Support for VEX in-toto attestations
#### Bug fixes / Improvements
- Fix platform detection when an image index contains `linux/arm64/v8` but the local platform is only `linux/arm64`
- Fix display of the base image in case the base image is not indexed by *docker scout* but defined in the *provenance attestation* (for private or non Docker Trusted Content base images)
Affects `quickview` and `recommendations` commands
- Fix panic when an SBOM contains no packages
Especially when using `docker scout` to analyse local file system, for instance using `docker scout cves fs://.`
- Bump Syft to 102 to fix golang Purl with subpath
- Add support for subpaths in PURLs
For instance an image containing both packages `github.com/gofiber/template` and `github.com/gofiber/template/django/v3`, previously the two packages were visible under the same `github.com/gofiber/template` name. Now both of them are correctly identified
### [`v1.4.0`](https://togithub.com/docker/scout-action/compare/v1.3.0...v1.4.0)
[Compare Source](https://togithub.com/docker/scout-action/compare/v1.3.0...v1.4.0)
### [`v1.3.0`](https://togithub.com/docker/scout-action/releases/tag/v1.3.0)
[Compare Source](https://togithub.com/docker/scout-action/compare/v1.2.2...v1.3.0)
- Update [`syft`](https://togithub.com/anchore/syft) to `v0.100.0`
- Support [`in-toto` envelope](https://togithub.com/in-toto/attestation/blob/main/spec/v1/envelope.md) layer in attestations
- Improve display of policy results in case of a boolean policy
### [`v1.2.2`](https://togithub.com/docker/scout-action/releases/tag/v1.2.2)
[Compare Source](https://togithub.com/docker/scout-action/compare/v1.2.0...v1.2.2)
#### What's Changed
- Fix link rendering growing the column by [@cdupuis](https://togithub.com/cdupuis)
- No cache and docs by [@cdupuis](https://togithub.com/cdupuis)
- Add correlation headers by [@cdupuis](https://togithub.com/cdupuis)
- Allow to pass in additional SBOM catalogers by [@cdupuis](https://togithub.com/cdupuis)
- Add No Data link for SonarQube policy by [@felipecruz91](https://togithub.com/felipecruz91)
- Policy fixes by [@cdupuis](https://togithub.com/cdupuis)
### [`v1.2.0`](https://togithub.com/docker/scout-action/releases/tag/v1.2.0)
[Compare Source](https://togithub.com/docker/scout-action/compare/v1.1.0...v1.2.0)
#### What's Changed
- Display configurable policy names by [@felipecruz91](https://togithub.com/felipecruz91)
- Add support for writing SDPX and CycloneDx to file by [@cdupuis](https://togithub.com/cdupuis)
- Support ACR in docker scout repo commands by [@velll](https://togithub.com/velll)
- Docs cli reference refresh by [@dvdksn](https://togithub.com/dvdksn)
### [`v1.1.0`](https://togithub.com/docker/scout-action/compare/v1.0.9...v1.1.0)
[Compare Source](https://togithub.com/docker/scout-action/compare/v1.0.9...v1.1.0)
Configuration
š Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.0.9
->v1.4.1
Release Notes
docker/scout-action (docker/scout-action)
### [`v1.4.1`](https://togithub.com/docker/scout-action/releases/tag/v1.4.1) [Compare Source](https://togithub.com/docker/scout-action/compare/v1.4.0...v1.4.1) *These notes include changes part of `v1.4.0`* #### Highlights - Update dependencies to address Leaky Vessels series of CVEs (CVE-2024-21626, CVE-2024-24557) - Add initial VEX document to document false positive CVE-2020-8911 and CVE-2020-8912 - Support cosign SBOM attestations - Support for VEX in-toto attestations #### Bug fixes / Improvements - Fix platform detection when an image index contains `linux/arm64/v8` but the local platform is only `linux/arm64` - Fix display of the base image in case the base image is not indexed by *docker scout* but defined in the *provenance attestation* (for private or non Docker Trusted Content base images) Affects `quickview` and `recommendations` commands - Fix panic when an SBOM contains no packages Especially when using `docker scout` to analyse local file system, for instance using `docker scout cves fs://.` - Bump Syft to 102 to fix golang Purl with subpath - Add support for subpaths in PURLs For instance an image containing both packages `github.com/gofiber/template` and `github.com/gofiber/template/django/v3`, previously the two packages were visible under the same `github.com/gofiber/template` name. Now both of them are correctly identified ### [`v1.4.0`](https://togithub.com/docker/scout-action/compare/v1.3.0...v1.4.0) [Compare Source](https://togithub.com/docker/scout-action/compare/v1.3.0...v1.4.0) ### [`v1.3.0`](https://togithub.com/docker/scout-action/releases/tag/v1.3.0) [Compare Source](https://togithub.com/docker/scout-action/compare/v1.2.2...v1.3.0) - Update [`syft`](https://togithub.com/anchore/syft) to `v0.100.0` - Support [`in-toto` envelope](https://togithub.com/in-toto/attestation/blob/main/spec/v1/envelope.md) layer in attestations - Improve display of policy results in case of a boolean policy ### [`v1.2.2`](https://togithub.com/docker/scout-action/releases/tag/v1.2.2) [Compare Source](https://togithub.com/docker/scout-action/compare/v1.2.0...v1.2.2) #### What's Changed - Fix link rendering growing the column by [@cdupuis](https://togithub.com/cdupuis) - No cache and docs by [@cdupuis](https://togithub.com/cdupuis) - Add correlation headers by [@cdupuis](https://togithub.com/cdupuis) - Allow to pass in additional SBOM catalogers by [@cdupuis](https://togithub.com/cdupuis) - Add No Data link for SonarQube policy by [@felipecruz91](https://togithub.com/felipecruz91) - Policy fixes by [@cdupuis](https://togithub.com/cdupuis) ### [`v1.2.0`](https://togithub.com/docker/scout-action/releases/tag/v1.2.0) [Compare Source](https://togithub.com/docker/scout-action/compare/v1.1.0...v1.2.0) #### What's Changed - Display configurable policy names by [@felipecruz91](https://togithub.com/felipecruz91) - Add support for writing SDPX and CycloneDx to file by [@cdupuis](https://togithub.com/cdupuis) - Support ACR in docker scout repo commands by [@velll](https://togithub.com/velll) - Docs cli reference refresh by [@dvdksn](https://togithub.com/dvdksn) ### [`v1.1.0`](https://togithub.com/docker/scout-action/compare/v1.0.9...v1.1.0) [Compare Source](https://togithub.com/docker/scout-action/compare/v1.0.9...v1.1.0)Configuration
š Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
š¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
ā» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
š Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.