[feature request] Use the Docker’s Sponsored Open Source Program

[mathieu-benoit]

As a CNCF Project, we can take advantage of the Docker’s Sponsored Open Source Program:

• https://www.cncf.io/announcements/2025/09/18/cncf-expands-infrastructure-support-for-project-maintainers-through-partnership-with-docker/
• https://contribute.cncf.io/blog/2026/01/15/docker-sponsored-open-source-program/

This will improve the overall security posture of the Score's projects, and demonstrate container security best practices for other CNCF projects too.

Here is the checklist that we need to do:

• Create a dedicated Docker Hub Account and Organization
  • https://hub.docker.com/u/scorespec
• Submit a CNCF's Service Desk ticket to apply to this DSOS program
• Get the approval from CNCF and Docker Inc. as a Sponsored OSS Organization.
• Start by manually push an existing score-compose container image: ghcr.io/score-spec/score-compose:0.29.9
  • https://hub.docker.com/layers/scorespec/score-compose/0.29.9/
  • docker buildx imagetools create ghcr.io/score-spec/score-compose:0.29.9 --tag scorespec/score-compose:0.29.9
  • docker scout repo enable scorespec/score-compose --org scorespec
• For any Release, attach the SBOM attestation to the container image
  • 💡 Add provenance and SBOM options to release workflow #373
• For any PR, scan and compare the container image with Docker Scout
  • Enhance CI workflow with Docker Scout #377
• Improvements and learnings from here:
  • 💡 chore(deps): bump golang from 1.25.4-alpine to 1.25.5-alpine in the ci group #378
  • 💡 go 1.25.5 #380
  • 💡 go 1.25.5 score-go#148
  • 💡 Update base image in Dockerfile to nonroot version #385
  • 💡 Update base images in Dockerfile with dhi.io #391
• For any Release, push the score-compose container image to Docker Hub in addition to the GitHub Container Registry.
  • Add Docker Hub push to release workflow #386
  • Since https://github.com/score-spec/score-compose/releases/tag/0.29.11 now released there: https://hub.docker.com/r/scorespec/score-compose in addition to the existing GHCR.
  • cosign sign scorespec/score-compose #398
• Check from here to see the values and outcomes, and see from there what we want to do
  • Secure by default and by design with dhi.io images
  • Continuous security scanning with Docker Scout
  • Visibility and trust from Docker Hub as OSS Sponsored project
• Rinse and repeat for score-radius
  • release: Push to Docker Hub score-radius#22
  • docker scout repo enable scorespec/score-radius --org scorespec
  • Enhance CI workflow with Docker Scout score-radius#26
  • Move to dhi.io base images score-radius#28
  • docker/github-builder score-radius#36
• Rinse and repeat for score-k8s
  • release: Push to Docker Hub score-k8s#242
  • docker scout repo enable scorespec/score-k8s --org scorespec
  • Enhance CI workflow with Docker Scout score-k8s#249
• Write a blog post to share our learnings to the broader community

[astromechza]

@mathieu-benoit what exactly do we get out of this here?

Just security scans on our docker images? Which are already minimal?

Where do the security scans go? Do we get alerts?

Who has access to the docker hub account?

[mathieu-benoit]

@astromechza, yes exactly, all the Score Maintainers will be added (if they want) to the Docker Hub Organization to have access to everything.

Full disclaimer: even if I'm now a Docker employee, this is an activity that I wanted to do anyway as CNCF Project Maintainer, program announced on September 2025.

The goal is to see in actions the values that we can benefit, and see from there if we continue or not with it. During the Maintainer Summit NA 2025 in Atlanta, it was discussed how CNCF projects could collaborate more, share best practices, be more secure by design and by default. Score is taking this activity as an opportunity to collaborate more with other CNCF projects with this too.

With that being said, while we are already pretty much secure (final base image as distroless), we have already learned a few things to be even more secure:

• It's not only about the container image, it's also, and most importantly for us, about the Golang packages and versions used and released into our binaries. This will scan the container image to detect CVEs related to Go dependencies. That's where the win is for us.
• We were not generating full SBOM transparency, that's now the case: Add provenance and SBOM options to release workflow #373
• We still had a High CVE not reported anywhere, that's now fixed: chore(deps): bump golang from 1.25.4-alpine to 1.25.5-alpine in the ci group #378
• We don't have any report and comparison when someone contribute via a PR, we now have a report by PR: Enhance CI workflow with Docker Scout #377
• As Maintainers, we also have access to the Security policies to apply even more security best practices in our projects. Something to learn more about here.

I'll demo some of these findings during our next community meeting happening later today.

[mathieu-benoit]

Sharing updates as progress has already been made, with https://github.com/score-spec/score-compose/releases/tag/0.29.10, running this:

docker buildx imagetools create ghcr.io/score-spec/score-compose:0.29.10 --tag scorespec/score-compose:0.29.10

Already seeing great insights:

By command line too:

docker scout compare --ignore-unchanged --to scorespec/score-compose:0.29.9 scorespec/score-compose:0.29.10 --org scorespec

    ✓ SBOM of image already cached, 53 packages indexed
    ✓ SBOM of image already cached, 53 packages indexed
    ✓ Pulled
    ✓ Policy evaluation results found
    ✓ Policy evaluation completed


  ## Overview

                      │               Analyzed Image                │         Comparison Image
  ────────────────────┼─────────────────────────────────────────────┼───────────────────────────────────
    Target            │  scorespec/score-compose:0.29.10            │  scorespec/score-compose:0.29.9
      digest          │  6f8ba4ac60e1                               │  ca6ee0fb78a3
      tag             │  0.29.10                                    │  0.29.9
      platform        │ linux/amd64                                 │ linux/amd64
      provenance      │ https://github.com/score-spec/score-compose │
                      │  6f8022aaeb467e47940a5ea64489f7861acaf738   │
      vulnerabilities │    0C     0H     0M     0L                  │    0C     1H     1M     0L
                      │           -1     -1                         │
      size            │ 6.3 MB (-622 kB)                            │ 6.9 MB
      packages        │ 53                                          │ 53
                      │                                             │


  ## Environment Variables


      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt



  ## Policies


  2 improved, 0 worsened

    Policy                                       Analyzed  Comparison  Change

    Default non-root user                        !         !                   No Change
    No AGPL v3 licenses                          ✓         ✓                   No Change
    No fixable critical or high vulnerabilities  ✓         ! 1         -1      Improved
    No high-profile vulnerabilities              ✓         ✓                   No Change
    No outdated base images                      ✓         ? No data
    No unapproved base images                    ✓         ? No data
    Supply chain attestations                    ✓         ! 2         -2      Improved

      View policy details → docker scout policy scorespec/score-compose:0.29.10


  ## Packages and Vulnerabilities


    +    1 packages added
    -    1 packages removed
    ⎌    9 packages changed (↑ 9 upgraded, ↓ 0 downgraded)
        42 packages unchanged


    - 2 vulnerabilities removed


     Package                                Type    Version     Compared Version

  ↑  github.com/clipperhouse/displaywidth   golang  0.6.1       0.3.1
  ↑  github.com/clipperhouse/uax29/v2       golang  2.3.0       2.2.0
  ↑  github.com/compose-spec/compose-go/v2  golang  2.10.0      2.9.1
  ↑  github.com/olekukonko/ll               golang  0.1.3       0.1.2
  ↑  github.com/olekukonko/tablewriter      golang  1.1.2       1.1.1
  ↑  github.com/score-spec/score-compose    golang  0.29.10     0.29.9
  ↑  github.com/score-spec/score-go         golang  1.11.6      1.11.5
  ↑  github.com/spf13/cobra                 golang  1.10.2      1.10.1
  -  go.yaml.in/yaml/v3                     golang              3.0.4
  +  go.yaml.in/yaml/v4                     golang  4.0.0-rc.3
  ↑  stdlib                                 golang  1.25.5      1.25.4
     │   +  Dockerfile (23:23)
     │   +  COPY --from=builder /usr/local/bin/score-compose /usr/local/bin/score-compose
     │
     ├─  -  HIGH         CVE-2025-61729  [https://scout.docker.com/v/CVE-2025-61729]
     │                   7.5
     └─  -  MEDIUM       CVE-2025-61727  [https://scout.docker.com/v/CVE-2025-61727]
                         6.5

[mathieu-benoit]

Great progress!

Comparing the before and after between 0.29.9 and 0.29.11:

docker scout compare --ignore-unchanged \
  --to scorespec/score-compose:0.29.9 \
  scorespec/score-compose:0.29.11 \
  --org scorespec

    ✓ SBOM of image already cached, 54 packages indexed
    ✓ SBOM of image already cached, 53 packages indexed
    ✓ Pulled
    ✓ Policy evaluation results found
    ✓ Pulled
    ✓ Policy evaluation results found


  ## Overview

                      │               Analyzed Image                │              Comparison Image
  ────────────────────┼─────────────────────────────────────────────┼──────────────────────────────────────────────
    Target            │  scorespec/score-compose:0.29.11            │  scorespec/score-compose:0.29.9
      digest          │  fbc2f4235f04                               │  fc8c0b89928a
      tag             │  0.29.11                                    │  0.29.9
      platform        │ linux/amd64                                 │ linux/amd64
      provenance      │ https://github.com/score-spec/score-compose │ https://github.com/score-spec/score-compose
                      │  c25233782cb27001aa23c9635279788e20f98f98   │  97533ab7abc68ab64f29d81cfbb44c0807570c23
      vulnerabilities │    0C     0H     0M     0L                  │    0C     1H     1M     0L
                      │           -1     -1                         │
      size            │ 6.3 MB (+66 kB)                             │ 6.3 MB
      packages        │ 54 (+1)                                     │ 53
                      │                                             │


  ## Environment Variables


      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt



  ## Policies


  2 improved, 0 worsened

    Policy                                       Analyzed  Comparison  Change

    Default non-root user                        ✓         !           -1      Improved
    No AGPL v3 licenses                          ✓         ✓                   No Change
    No fixable critical or high vulnerabilities  ✓         ! 1         -1      Improved
    No high-profile vulnerabilities              ✓         ✓                   No Change
    No outdated base images                      ✓         ✓                   No Change
    No unapproved base images                    ✓         ✓                   No Change
    Supply chain attestations                    ✓         ✓                   No Change

      View policy details → docker scout policy scorespec/score-compose:0.29.11


  ## Packages and Vulnerabilities


    +    2 packages added
    -    1 packages removed
    ⎌   11 packages changed (↑ 11 upgraded, ↓ 0 downgraded)
        40 packages unchanged


    - 2 vulnerabilities removed


     Package                                Type    Version          Compared Version

  ↑  base-files                             deb     12.4+deb12u12    12.4+deb12u8
  ↑  github.com/clipperhouse/displaywidth   golang  0.6.1            0.3.1
  ↑  github.com/clipperhouse/uax29/v2       golang  2.3.0            2.2.0
  ↑  github.com/compose-spec/compose-go/v2  golang  2.10.0           2.9.1
  ↑  github.com/olekukonko/ll               golang  0.1.3            0.1.2
  ↑  github.com/olekukonko/tablewriter      golang  1.1.2            1.1.1
  ↑  github.com/score-spec/score-compose    golang  0.29.11          0.29.9
  ↑  github.com/score-spec/score-go         golang  1.11.6           1.11.5
  ↑  github.com/spf13/cobra                 golang  1.10.2           1.10.1
  -  go.yaml.in/yaml/v3                     golang                   3.0.4
  +  go.yaml.in/yaml/v4                     golang  4.0.0-rc.3
  +  media-types                            deb     10.0.0
  ↑  stdlib                                 golang  1.25.5           1.25.4
     │   +  Dockerfile (23:23)
     │   +  COPY --from=builder /usr/local/bin/score-compose /usr/local/bin/score-compose
     │   -  Dockerfile (23:23)
     │   -  COPY --from=builder /usr/local/bin/score-compose /usr/local/bin/score-compose
     │
     ├─  -  HIGH         CVE-2025-61729  [https://scout.docker.com/v/CVE-2025-61729]
     │                   7.5
     └─  -  MEDIUM       CVE-2025-61727  [https://scout.docker.com/v/CVE-2025-61727]
                         6.5

  ↑  tzdata                                 deb     2025b-0+deb12u2  2024b-0+deb12u1