Skip to content

Add: Add quickstart.md improvements #22272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Apr 23, 2025
+15 −13
Merged

Add: Add quickstart.md improvements #22272

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4410112
Add: Add quickstart.md improvements
tanure Mar 18, 2025
686535f
Fix: applying code review changes
tanure Apr 14, 2025
c3f7702
Update content/manuals/scout/quickstart.md
tanure Apr 23, 2025
d3c85ea
Update content/manuals/scout/quickstart.md
tanure Apr 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 15 additions & 13 deletions content/manuals/scout/quickstart.md
View file
Original file line number Diff line number Diff line change
@@ -84,26 +84,24 @@

## Step 4: Fix application vulnerabilities

The fix suggested by Docker Scout is to update
the underlying vulnerable express version to 4.17.3 or later.
After the Docker Scout analysis, a high vulnerability CVE-2022-24999 was found, caused by an outdated version of the **express** package.

1. Update the `package.json` file with the new package version.
The version 4.17.3 of the express package fixes the vulnerability. Therefore, update the `package.json` file to the new version:

```diff
"dependencies": {
- "express": "4.17.1"
+ "express": "4.17.3"
}
```

2. Rebuild the image with a new tag and push it to your Docker Hub repository:
Rebuild the image with a new tag and push it to your Docker Hub repository:

```console
$ docker build --push -t <ORG_NAME>/scout-demo:v2 .
```

Now, viewing the latest tag of the image in Docker Desktop, the Docker Scout
Dashboard, or CLI, you can see that you have fixed the vulnerability.
Run the `docker scout` command again and verify that HIGH CVE-2022-24999 is no longer present:

Check warning on line 104 in content/manuals/scout/quickstart.md

GitHub Actions / vale 

[vale] reported by reviewdog 🐶
[Docker.Acronyms] 'HIGH' has no definition.

Raw Output:
{"message": "[Docker.Acronyms] 'HIGH' has no definition.", "location": {"path": "content/manuals/scout/quickstart.md", "range": {"start": {"line": 104, "column": 54}}}, "severity": "WARNING"}

```console
$ docker scout cves --only-package express
@@ -154,7 +152,7 @@

Now you can run the `quickview` command to get an overview
of the compliance status for the image you just built.
The image is evaluated against the default policy configurations.
The image is evaluated against the default policy configurations. You'll see output similar to the following:

```console
$ docker scout quickview
@@ -209,7 +207,7 @@
which is how the provenance attestations are attached to an image.

Open **Settings** in Docker Desktop. Under the **General** section, make sure
that the **Use containerd for pulling and storing images** option is checked.
that the **Use containerd for pulling and storing images** option is checked, then select **Apply & Restart**.
Note that changing image stores temporarily hides images and containers of the
inactive image store until you switch back.

@@ -230,7 +228,9 @@
3. Select **Images** in the left-hand navigation.

The images page lists your Scout-enabled repositories.
Select the image in the list to open the **Image details** sidebar.

Select the row for the image you want to view, anywhere in the row except on a link, to open the **Image details** sidebar.

The sidebar shows a compliance overview for the last pushed tag of a repository.

> [!NOTE]
@@ -239,13 +239,15 @@
> It might take a few minutes before the results appear if this is your
> first time using the Docker Scout Dashboard.

Inspect the **Up-to-Date Base Images** policy.
Go back to the image list and select the image version, available in the **Most recent image** column.
Then, at the top right of the page, select the **Update base image** button to inspect the policy.

This policy checks whether base images you use are up-to-date.
It currently has a non-compliant status,
because the example image uses an old version `alpine` as a base image.

Select the **View fix** button next to the policy name for details about the violation,
and recommendations on how to address it.
Close the **Recommended fixes for base image** modal. In the policy listing, select **View fixes** button, next to the policy name for details about the violation, and recommendations on how to address it.

In this case, the recommended action is to enable
[Docker Scout's GitHub integration](./integrations/source-code-management/github.md),
which helps keep your base images up-to-date automatically.