Merge pull request #19606 from dvdksn/scout-remove-novulns-policy

scout: remove "All critical vulnerabilities" policy
docker · Mar 14, 2024 · 92041c2 · 92041c2
2 parents da43b4a + f69bd6c
commit 92041c2
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 41 deletions.
diff --git a/content/scout/policy/_index.md b/content/scout/policy/_index.md
@@ -31,11 +31,11 @@ what vulnerabilities they're exposed to. Policy Evaluation builds on top of the
 image analysis feature, interpreting the analysis results against the rules
 defined by policies.
 
-A policy defines one or more criteria that your artifacts should fulfill. For
-example, one of the default policies in Docker Scout is the **Critical
-vulnerabilities** policy, which requires that your artifacts must not contain
-any critical vulnerabilities. If an artifact contains one or more
-vulnerabilities with a critical severity, that artifact fails the evaluation.
+A policy defines image quality criteria that your artifacts should fulfill.
+For example, the **Copyleft licenses** policy flags packages distributed under a copyleft license.
+If an image contains a copyleft-licensed package, that image is non-compliant with this policy.
+Some policies, such as the **Copyleft licenses** policy, are configurable.
+Configurable policies let you adjust the criteria to better match your organization's needs.
 
 In Docker Scout, policies are designed to help you ratchet forward your
 security and supply chain stature. Where other tools focus on providing a pass
@@ -55,7 +55,6 @@ image up-to-dateness.
 Docker Scout ships the following out-of-the-box policies:
 
 - [Fixable critical and high vulnerabilities](#fixable-critical-and-high-vulnerabilities)
-- [Critical vulnerabilities](#critical-vulnerabilities)
 - [Copyleft licenses](#copyleft-licenses)
 - [Outdated base images](#outdated-base-images)
 - [High-profile vulnerabilities](#high-profile-vulnerabilities)
@@ -90,19 +89,6 @@ or high-severity vulnerability, where a fix version is available.
 You can configure the severity level and age thresholds by creating a custom
 policy. For more information, see [Configure policies](./configure.md).
 
-### Critical vulnerabilities
-
-The **Critical vulnerabilities** policy requires that your artifacts contain no
-known critical vulnerabilities. The policy is unfulfilled if your artifact
-contains one or more critical vulnerabilities.
-
-This policy flags all critical vulnerabilities, whether or not there's a fix
-version available, and regardless of how long it's been since the vulnerability
-was first disclosed.
-
-You can configure the severity level by creating a custom policy, see
-[Configure policies](./configure.md).
-
 ### Copyleft licenses
 
 The **Copyleft licenses** policy requires that your artifacts don't contain

diff --git a/content/scout/policy/view.md b/content/scout/policy/view.md
@@ -83,26 +83,37 @@ $ docker scout policy \
   --platform linux/amd64 \
   dockerscoutpolicy/email-api-service:0.0.2
 
-Image reference: dockerscoutpolicy/email-api-service:0.0.2
-Digest: sha256:17b1fde0329c71af302b6391fc73a08f56cb8c33e7eea7a33b61a24cedbf2b69
-Platform: linux/amd64
-
-## Overview
-
-Policy status:  FAILED  (1/3 policies violated)
-
-                      Policy                     │      Results       
-─────────────────────────────────────────────────┼────────────────────
-  ✓ Critical and high vulnerabilities with fixes │ 0 vulnerabilities  
-  ✗ Critical vulnerabilities                     │    1C              
-  ✓ Packages with GPL3+ licenses                 │ 0 packages         
-
-
-## "Critical vulnerabilities" policy evaluation results
-
-  Vulnerability  │  Severity  │                     Current package version                     │ Fix version  
-─────────────────┼────────────┼─────────────────────────────────────────────────────────────────┼──────────────
-  CVE-2022-48174 │  CRITICAL  │ pkg:apk/alpine/busybox@1.36.1-r0?os_name=alpine&os_version=3.18 │ 1.36.1-r1
+    ✓ Pulled
+    ✓ Policy evaluation results found
+
+
+## Overview
+
+             │               Analyzed Image
+─────────────┼──────────────────────────────────────────────
+  Target     │  dockerscoutpolicy/email-api-service:0.0.2
+    digest   │  17b1fde0329c
+    platform │ linux/amd64
+
+
+## Policies
+
+Policy status  FAILED  (2/8 policies met, 3 missing data)
+
+  Status │                  Policy                   │           Results
+─────────┼───────────────────────────────────────────┼──────────────────────────────
+  ✓      │ Copyleft licenses                         │    0 packages
+  !      │ Default non-root user                     │
+  !      │ Fixable critical and high vulnerabilities │    2C     1H     0M     0L
+  ✓      │ High-profile vulnerabilities              │    0C     0H     0M     0L
+  ?      │ Outdated base images                      │    No data
+         │                                           │    Learn more ↗
+  ?      │ Quality gates passed                      │    No data
+         │                                           │    Learn more ↗
+  !      │ Supply chain attestations                 │    2 deviations
+  ?      │ Unapproved base images                    │    No data
+
+...
 ```
 
 For more information about the command, refer to the [CLI

diff --git a/content/scout/quickstart.md b/content/scout/quickstart.md
@@ -154,12 +154,11 @@ The image is evaluated against the default, out-of-the-box policies.
 $ docker scout quickview
 
 ...
-Policy status  FAILED  (2/7 policies met, 2 missing data)
+Policy status  FAILED  (2/6 policies met, 2 missing data)
 
   Status │                  Policy                   │           Results
 ─────────┼───────────────────────────────────────────┼──────────────────────────────
   ✓      │ Copyleft licenses                         │    0 packages
-  !      │ Critical vulnerabilities                  │    2C     0H     0M     0L
   !      │ Default non-root user                     │
   !      │ Fixable critical and high vulnerabilities │    2C    16H     0M     0L
   ✓      │ High-profile vulnerabilities              │    0C     0H     0M     0L

diff --git a/content/scout/release-notes.md b/content/scout/release-notes.md
@@ -16,6 +16,13 @@ for what's coming next.
 
 New features and enhancements released in the first quarter of of 2024.
 
+### 2024-03-14
+
+The **All critical vulnerabilities** policy has been removed.
+The **Fixable critical and high vulnerabilities** policy provides similar functionality,
+and will be updated in the future to allow for more extensive customization,
+making the now-removed **All critical vulnerabilities** policy redundant.
+
 ### 2024-01-26
 
 **Azure Container Registry** integration graduated from