Merge pull request #20596 from dvdksn/scout-policy-consolidate

scout: update ootb policy to match health score rules

Author: dvdksn

.github/vale/config/vocabularies/Docker/accept.txt

@@ -14,6 +14,7 @@ Autotest
 Azure
 BuildKit
 BusyBox
+CISA
 CNCF
 CVEs?
 CentOS

content/scout/policy/_index.md

@@ -32,9 +32,9 @@ image analysis feature, interpreting the analysis results against the rules
 defined by policies.
 
 A policy defines image quality criteria that your artifacts should fulfill.
-For example, the **No copyleft licenses** policy flags packages distributed under a copyleft license.
-If an image contains a copyleft-licensed package, that image is non-compliant with this policy.
-Some policies, such as the **No copyleft licenses** policy, are configurable.
+For example, the **No AGPL v3 licenses** policy flags any image containing packages distributed under the AGPL v3 license.
+If an image contains such a package, that image is non-compliant with this policy.
+Some policies, such as the **No AGPL v3 licenses** policy, are configurable.
 Configurable policies let you adjust the criteria to better match your organization's needs.
 
 In Docker Scout, policies are designed to help you ratchet forward your
@@ -55,11 +55,12 @@ image up-to-dateness.
 Docker Scout ships the following out-of-the-box policies:
 
 - [No fixable critical or high vulnerabilities](#no-fixable-critical-or-high-vulnerabilities)
-- [No copyleft licenses](#no-copyleft-licenses)
+- [No AGPL v3 licenses](#no-agpl-v3-licenses)
 - [No outdated base images](#no-outdated-base-images)
 - [No high-profile vulnerabilities](#no-high-profile-vulnerabilities)
 - [Supply chain attestations](#supply-chain-attestations)
 - [Default non-root user](#default-non-root-user)
+- [No unapproved base images](#no-unapproved-base-images)
 
 To give you a head start, Scout enables several policies by default for your
 Scout-enabled repositories. You can customize the default configurations to
@@ -78,34 +79,34 @@ available. Essentially, this means that there's an easy fix that you can deploy
 for images that fail this policy: upgrade the vulnerable package to a version
 containing a fix for the vulnerability.
 
-By default, this policy only flags critical and high severity vulnerabilities
-disclosed more than 30 days ago. The rationale for only flagging
-vulnerabilities of a certain age is that newly discovered vulnerabilities
-shouldn't cause your evaluations to fail until you've had a chance to address
-them.
+By default, this policy only flags critical and high severity vulnerabilities.
 
-This policy is unfulfilled if an artifact is affected by one or more critical-
+This policy is violated if an artifact is affected by one or more critical-
 or high-severity vulnerability, where a fix version is available.
 
 You can configure the parameters of this policy by creating a custom version of the policy.
 The following policy parameters are configurable in a custom version:
 
-- Name and description of the policy
-- Severity levels to consider
-- Age threshold (set to `0` to flag all vulnerabilities, regardless of age)
-- Whether or not to only report vulnerabilities with a fix version available
+- **Age**: The minimum number of days since the vulnerability was first published
 
-For more information about configuring policies, see [Configure policies](./configure.md).
+  The rationale for only flagging vulnerabilities of a certain minimum age is
+  that newly discovered vulnerabilities shouldn't cause your evaluations to
+  fail until you've had a chance to address them.
+
+<!-- vale Vale.Spelling = NO -->
+- **Severities**: Severity levels to consider (default: `Critical, High`)
+<!-- vale Vale.Spelling = YES -->
 
-### No copyleft licenses
+- **Fixable vulnerabilities only**: Whether or not to only report
+  vulnerabilities with a fix version available (enabled by default).
+
+For more information about configuring policies, see [Configure policies](./configure.md).
 
-The **No copyleft licenses** policy requires that your artifacts don't contain
-packages distributed under an AGPLv3 or GPLv3 license. These licenses are
-protective [copyleft](https://en.wikipedia.org/wiki/Copyleft), and may be
-unsuitable for use in your software because of the restrictions they enforce.
+### No AGPL v3 licenses
 
-This policy is unfulfilled if your artifacts contain one or more packages with
-a violating license.
+The **No AGPL v3 licenses** policy requires that your artifacts don't contain
+packages distributed under an AGPLv3 license. This policy is violated if
+your artifacts contain one or more packages with this license.
 
 You can configure the list of licenses that this policy should look out for,
 and add exceptions by specifying an allow-list (in the form of PURLs).
@@ -116,7 +117,7 @@ See [Configure policies](./configure.md).
 The **No outdated base images** policy requires that the base images you use are
 up-to-date.
 
-It's unfulfilled when the tag you used to build your image points to a
+It's violated when the tag you used to build your image points to a
 different digest than what you're using. If there's a mismatch in digests, that
 means the base image you're using is out of date.
 
@@ -135,19 +136,33 @@ The list includes the following vulnerabilities:
 - [CVE-2014-0160 (OpenSSL Heartbleed)](https://scout.docker.com/v/CVE-2014-0160)
 - [CVE-2021-44228 (Log4Shell)](https://scout.docker.com/v/CVE-2021-44228)
 - [CVE-2023-38545 (cURL SOCKS5 heap buffer overflow)](https://scout.docker.com/v/CVE-2023-38545)
-:cc
+- [CVE-2023-44487 (HTTP/2 Rapid Reset)](https://scout.docker.com/v/CVE-2023-44487)
 - [CVE-2024-3094 (XZ backdoor)](https://scout.docker.com/v/CVE-2024-3094)
 
 You can configure the CVEs included in this list by creating a custom policy.
-For more information, see [Configure policies](./configure.md).
+Custom configuration options include:
+
+- **CVEs to avoid**: Specify the CVEs that you want to avoid in your artifacts.
+
+  Default: `CVE-2014-0160`, `CVE-2021-44228`, `CVE-2023-38545`, `CVE-2023-44487`, `CVE-2024-3094`
+
+- **CISA KEV**: Enable tracking of vulnerabilities from CISA's Known Exploited Vulnerabilities (KEV) catalog
+
+  The [CISA KEV catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
+  includes vulnerabilities that are actively exploited in the wild. When enabled,
+  the policy flags images that contain vulnerabilities from the CISA KEV catalog.
+
+  Enabled by default.
+
+For more information on policy configuration, see [Configure policies](./configure.md).
 
 ### Supply chain attestations
 
 The **Supply chain attestations** policy requires that your artifacts have
 [SBOM](../../build/attestations/sbom.md) and
 [provenance](../../build/attestations/slsa-provenance.md) attestations.
 
-This policy is unfulfilled if an artifact lacks either an SBOM attestation or a
+This policy is violated if an artifact lacks either an SBOM attestation or a
 provenance attestation with max mode. To ensure compliance,
 update your build command to attach these attestations at build-time:
 
@@ -236,20 +251,10 @@ ENTRYPOINT ["/app/production"]
 {{< /tab >}}
 {{< /tabs >}}
 
-## Additional policies
-
-In addition to the [out-of-the-box policies](#out-of-the-box-policies) enabled
-by default, Docker Scout supports the following optional policies. Before you
-can enable these policies, you need to either configure the policies, or
-configure the integration that the policy requires.
-
-- [No unapproved base images](#no-unapproved-base-images)
-- [SonarQube quality gates passed](#sonarqube-quality-gates-passed)
-
 ### No unapproved base images
 
-The **No unapproved base images** policy lets you restrict which base
-images you allow in your builds.
+The **No unapproved base images** policy ensures that the base images you use
+in your builds are maintained and secure.
 
 This policy checks whether the base images used in your builds match any of the
 patterns specified in the policy configuration. The following table shows a few
@@ -268,35 +273,50 @@ An asterisk (`*`) matches up until the character that follows, or until the end
 of the image reference. Note that the `docker.io` prefix is required in order
 to match Docker Hub images. This is the registry hostname of Docker Hub.
 
-You can also configure the policy to:
+This policy is configurable with the following options:
+
+- **Approved base image sources**
+
+  Specify the image reference patterns that you want to allow. The policy
+  evaluates the base image references against these patterns.
+
+  Default: `[*]` (any reference is an allowed base image)
 
-- Allow only supported tags of Docker Official Images.
+- **Only supported tags**
+
+  Allow only supported tags when using Docker Official Images.
 
   When this option is enabled, images using unsupported tags of official images
-  trigger a policy violation. Supported tags for official images are listed in
-  the **Supported tags** section of the repository overview on Docker Hub.
+  as their base image trigger a policy violation. Supported tags for official
+  images are listed in the **Supported tags** section of the repository
+  overview on Docker Hub.
+
+  Enabled by default.
+
+- **Only supported OS distributions**
 
-- Allow only Docker Official Images of supported distro versions
+  Allow only Docker Official Images of supported Linux distribution versions.
 
   When this option is enabled, images using unsupported Linux distributions
   that have reached end of life (such as `ubuntu:18.04`) trigger a policy violation.
 
   Enabling this option may cause the policy to report no data
   if the operating system version cannot be determined.
 
-This policy isn't enabled by default. To enable the policy:
-
-1. [Create a new policy](https://scout.docker.com/reports/policies/create?fromDefinition=approved-base-images&fromNamespace=docker) in the Docker Scout Dashboard.
-2. Under **Approved base image sources**, specify the image reference patterns that you want to allow.
-3. Select whether you want to allow only supported tags for official images,
-   and supported Linux distribution versions.
-4. Select **Save and enable**.
-
-   The policy is now enabled for your current organization.
+  Enabled by default.
 
 Your images need provenance attestations for this policy to successfully
 evaluate. For more information, see [No base image data](#no-base-image-data).
 
+## Additional policies
+
+In addition to the [out-of-the-box policies](#out-of-the-box-policies) enabled
+by default, Docker Scout supports the following optional policies. Before you
+can enable these policies, you need to either configure the policies, or
+configure the integration that the policy requires.
+
+- [SonarQube quality gates passed](#sonarqube-quality-gates-passed)
+
 ### SonarQube quality gates passed
 
 The **SonarQube quality gates passed** policy builds on the [SonarQube

content/scout/policy/scores.md

@@ -108,20 +108,10 @@ The policies that influence the score, and their respective weights, are as foll
 | [No fixable critical or high vulnerabilities](/scout/policy#no-fixable-critical-or-high-vulnerabilities)   | 20     |
 | [No high-profile vulnerabilities](/scout/policy#no-high-profile-vulnerabilities)                           | 20     |
 | [Supply chain attestations](/scout/policy#supply-chain-attestations)                                       | 15     |
-| [No unapproved base images](/scout/policy/#no-unapproved-base-images) \*                                   | 15     |
+| [No unapproved base images](/scout/policy/#no-unapproved-base-images)                                      | 15     |
 | [No outdated base images](/scout/policy#no-outdated-base-images)                                           | 10     |
 | [Default non-root user](/scout/policy#default-non-root-user)                                               | 5      |
-| No AGPL v3 licenses \*\*                                                                                   | 5      |
-
-\* _The **No unapproved base images** policy used for health score evaluation also
-checks that the tags of Docker Official Images use supported tags and, where
-applicable, that the Linux distro that the image uses is a supported distro
-version. This is a policy configuration option that's enabled by default for
-health score evaluation. For more information, refer to the
-[Unapproved base images](/scout/policy/#no-unapproved-base-images) policy._
-
-\*\* _The **No AGPL v3 licenses** policy is a subset of the
-[Copyleft licenses](./_index.md#no-copyleft-licenses) policy._
+| [No AGPL v3 licenses](/scout/policy/_index.md#no-agpl-v3-licenses)                                         | 5      |
 
 ### Evaluation
 

content/scout/release-notes/platform.md

@@ -15,6 +15,29 @@ Docker Scout platform, including the Dashboard. For CLI release notes, refer to
 Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/projects/1)
 for what's coming next.
 
+## Q3 2024
+
+New features and enhancements released in the third quarter of 2024.
+
+### 2024-08-13
+
+This release changes the out-of-the-box policies to align with the policy
+configurations used to evaluate Docker Scout [health scores](/scout/policy/scores.md).
+
+The default out-of-the-box policies are now:
+
+- **No high-profile vulnerabilities**
+- **No fixable critical or high vulnerabilities**
+- **No unapproved base images**
+- **Default non-root user**
+- **Supply chain attestations**
+- **No outdated base images**
+- **No AGPL v3 licenses**
+
+The configurations for these policies are now the same as the configurations
+used to calculate health scores. Previously, the out-of-the-box policies had
+different configurations than the health score policies.
+
 ## Q2 2024
 
 New features and enhancements released in the second quarter of 2024.

data/redirects.yml

@@ -124,7 +124,7 @@
   - /go/scout-policy/
 "/scout/policy/#no-fixable-critical-or-high-vulnerabilities":
   - /go/scout-policy-dsp001/
-"/scout/policy/#no-copyleft-licenses":
+"/scout/policy/#no-agpl-v3-licenses":
   - /go/scout-policy-dsp002/
 "/scout/policy/#no-outdated-base-images":
   - /go/scout-policy-dsp003/