docker-scout-auditlisted

# Docker Scout Audit ## Overview Docker Scout analyses an image's SBOM against the advisory database to surface CVEs and recommend base image updates. Images must be built locally before scanning — Scout analyses layers, not just the Dockerfile. **Critical rule: Never assert that a base image version is "safe" from training knowledge. Tag aliases like `alpine:3.21` can float. Always run Scout to get the current state.** --- ## Project Images Quick Reference Build each image before scanning: ```bash # Go TUI (multi-stage: golang:1.26 → alpine:3.21) docker build -t ai-literacy-go-tui go-tui/ # Python TUI (python:3.12-slim) docker build -t ai-literacy-python-tui python-tui/ # Kotlin TUI (multi-stage: maven:3-eclipse-temurin-21 → eclipse-temurin:21-jre-alpine) docker build -t ai-literacy-kotlin-tui tui/ # C# TUI (multi-stage: dotnet/sdk:8.0 → dotnet/runtime:8.0-alpine) docker build -t ai-literacy-csharp-tui csharp-tui/ ``` --- ## Audit Commands ### Quick overview (start here) ```bash docker scout quickview ai-literacy-go-tui ``` Prints a one-line summary: `5C 3H 6M 63L` (Critical / High / Medium / Low), plus base image refresh/update availability. Run this for all four images first to triage where to spend time. ### Actionable CVE list — fixable, high+ only ```bash docker scout cves \ --only-severity critical,high \ --only-fixed \ ai-literacy-go-tui ``` `--only-fixed` limits output to CVEs that have a known patch available, making the list immediately a