add Chainguard secdb to docker scout advisory feed

[amdawson]

Description

scout already supports the open source Wolfi security feed. But Chainguard also has a second feed for commercial packages. Please consider adding this feed to the scout advisory feed

https://packages.cgr.dev/chainguard/security.json

[amdawson]

Here are the docs that show Wolfi support https://docs.docker.com/scout/advisory-db-sources/

[thaJeztah]

Not sure what the best location is for feature requests for scout, but let me move this to the https://github.com/docker/scout-cli/issues issue tracker (as scout is not maintained in this repository)

[thaJeztah]

Arf.. don't have access permissions to do that. @cdupuis is it possible to give me access?

[cdupuis]

@thaJeztah done. Feel free to move this issue.

@amdawson, we already support the Chainguard commercial stream. Are you seeing any issues with our support? Could you perhaps share a test image to verify some the reports?

[amdawson]

That's great, thank you. Maybe update docs to reflect? I didn't see issues, just saw the docs

[cdupuis]

That's great, thank you. Maybe update docs to reflect? I didn't see issues, just saw the docs

That's a good point re docs. Thanks.

Just out of curiosity, do you happen to have access/can share a test image with some known CVEs in it we could use to test our support against?

[thaJeztah]

Thanks! Moved the ticket 👍

[amdawson]

That's great, thank you. Maybe update docs to reflect? I didn't see issues, just saw the docs

That's a good point re docs. Thanks.

Just out of curiosity, do you happen to have access/can share a test image with some known CVEs in it we could use to test our support against?

Well, we try to keep them at 0, but sometimes some sneak in. try cgr.dev/chainguard/vault or cgr.dev/chainguard/maven

[cdupuis]

@ChrisChinchilla could add the Chainguard feed to the docs, please?

[ChrisChinchilla]

@cdupuis https://github.com/docker/docs/pull/17617

[cdupuis]

Thanks. Closing this here.