dhi: add vex walkthrough#24992
Conversation
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
/review |
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
Note: The automated verifier returned an empty response for this review. The findings below are from the drafter and have been manually verified against the diff by the coordinator agent.
Summary: The new VEX walkthrough guide is well-structured and covers the workflow end-to-end. Four medium-severity style and content issues were found in the added lines.
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
|
Internal feedback: Any reason why you're passing On arm64 Macs (the entire Apple Silicon line, which is most Mac users now), this forces a cross-platform pull. The image lands fine, but the Trivy container example that follows then fails: Trivy's daemon-socket export path can't resolve the cross-arch manifest digest. Dropping the |
dvdksn
left a comment
dvdksn
left a comment
There was a problem hiding this comment.
I just realized I never posted this comment? Sorry, I had an unsubmitted review!
docker-agent
left a comment
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR adds a clear, well-structured VEX walkthrough guide for Docker Hardened Images. Required front matter fields are present, no vendored content is touched, commands and flags appear accurate, and the step-by-step structure follows the tutorial format correctly. Two minor style violations from the Docker docs word list were found in the new guide.
| > On Windows, the `-v /var/run/docker.sock:/var/run/docker.sock` socket mount | ||
| > used in the containerized scanner commands throughout this guide does not work | ||
| > on Docker Desktop for Windows. Instead, in Docker Desktop go to **Settings > | ||
| > General** and enable **Expose daemon on tcp://localhost:2375 without TLS**, |
There was a problem hiding this comment.
[LOW] Style violation: use "turn on"/"turn off" instead of "enable"/"disable"
The note uses enable and disable to describe toggling a Docker Desktop setting. Per the Docker docs word list in STYLE.md, the preferred terms are "turn on" and "turn off" (or "toggle on"/"toggle off").
Suggested rewrites:
enable **Expose daemon on tcp://localhost:2375 without TLS**→turn on **Expose daemon on tcp://localhost:2375 without TLS**disable the setting when you are done testing→turn off the setting when you are done testing
| ``` | ||
|
|
||
| Then scan without VEX to see the raw CVE count. Docker Scout automatically | ||
| applies VEX on Docker Hardened Images and can't show this unfiltered baseline. |
There was a problem hiding this comment.
[LOW] Style violation: avoid negative contraction "can't"
STYLE.md advises avoiding negative contractions (can't, don't, won't) and rewriting to be positive. The sentence could be rephrased, for example:
Docker Scout automatically applies VEX on Docker Hardened Images. To see the unfiltered CVE baseline, use Trivy or Grype.
3 participants
Description
Added VEX walkthrough guide for Docker Hardened Images
The existing DHI documentation covers VEX concepts and scanner integration, but as separate reference topics. Users who want to understand VEX in practice have to piece together the workflow themselves.
This guide shows the full workflow end-to-end against a real image (
dhi.io/python:3.13): scan without VEX to get the raw CVE baseline, fetch the attestation, scan again with VEX applied, then inspect every suppression and the reasoning behind it. Each step shows actual command output so readers can compare what they see against a known reference.The guide covers:
--show-suppressedflag to surface per-CVE justification codesjqqueries against the raw VEX file to read Docker's human-readable reasoning and filter by status (not_affected,under_investigation,affected)The goal is to give readers a working mental model of what VEX does and how to audit it — something a walkthrough can do that reference docs can't.
https://deploy-preview-24992--docsdocker.netlify.app/guides/dhi-vex-walkthrough/
Related issues or tickets
ENGDOCS-3239
Reviews