cvesguard (Short form of Docker Scout CVES Guard) is a tool to police docker images cves vulnerabilities through a policy manifest in your pipeline. This tool helps CI/CD engineers to determine whether a Docker Image can be deployed after docker scout command execution.
cvesguard is based on docker scout command with sarif format to json. You can run the command as per example:
docker scout cves hello-world --format sarif --output cves-report.jsonThere're few commands available for cvesguard tool.
Validates if the policy and cves files are compliant with the schema .
cvesguard lint --policy policy.yaml --cves-report cves-report.json
or
cvesguard lint -p policy.yaml -r cves-report.json
Checks the specified policy in the manifest.
cvesguard exec --policy policy.yaml --cves-report cves-report.json
or
cvesguard exec -p policy.yaml -r cves-report.json
The policy manifest file contains the configurations details of how apply command should be executed.
Example:
policy.yaml
---
version: v1.0.0
spec:
config:
vulnerability:
critical: 0
high: 0
medium: 100
low: 2
packages:
- name: log4j
action: ignore
severity:
- critical
- high
| Attribute | Type | Required |
|---|---|---|
| version | Text | yes |
| spec | Spec | yes |
| Attribute | Type | Required |
|---|---|---|
| config | Config | yes |
| Attribute | Type | Required |
|---|---|---|
| vulnerability | Vulnerability | yes |
| packages | List-Package | No |
| Attribute | Type | Required |
|---|---|---|
| critical | Number | yes |
| high | Number | yes |
| medium | Number | yes |
| low | Number | yes |
| Attribute | Type | Required |
|---|---|---|
| name | Text | yes |
| action | Text - Available options allow and deny |
yes |
| severity | List - Available options critical, high, medium and low |
yes |
Contributions are welcome! Please do not hesitate to submit a Pull Request.
This project is licensed under the MIT License.