docker · rcjsuen · May 13, 2025 · May 13, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,11 @@ All notable changes to the Docker Language Server will be documented in this fil
 
 ### Added
 
+- Dockerfile
+  - textDocument/hover
+    - support configuring vulnerability hovers with an experimental setting ([#192](https://github.com/docker/docker-language-server/issues/192))
+  - textDocument/publishDiagnostics
+    - support filtering vulnerability diagnostics with an experimental setting ([#192](https://github.com/docker/docker-language-server/issues/192))
 - Compose
   - textDocument/completion
     - support build stage names for the `target` attribute ([#173](https://github.com/docker/docker-language-server/issues/173))
@@ -16,6 +21,9 @@ All notable changes to the Docker Language Server will be documented in this fil
     - support navigating to a dependency that is defined in another file ([#190](https://github.com/docker/docker-language-server/issues/190))
   - textDocument/hover
     - render a referenced service's YAML content as a hover ([#157](https://github.com/docker/docker-language-server/issues/157))
+- Bake
+  - textDocument/publishDiagnostics
+    - support filtering vulnerability diagnostics with an experimental setting ([#192](https://github.com/docker/docker-language-server/issues/192))
 
 ### Fixed
 

diff --git a/e2e-tests/hover_test.go b/e2e-tests/hover_test.go
@@ -19,7 +19,20 @@ func HandleConfiguration(t *testing.T, conn *jsonrpc2.Conn, request *jsonrpc2.Re
 	require.NoError(t, err)
 	configurations := []configuration.Configuration{}
 	for range configurationParams.Items {
-		configurations = append(configurations, configuration.Configuration{Experimental: configuration.Experimental{VulnerabilityScanning: scanning}})
+		configurations = append(
+			configurations,
+			configuration.Configuration{
+				Experimental: configuration.Experimental{
+					VulnerabilityScanning: scanning,
+					Scout: configuration.Scout{
+						CriticalHighVulnerabilities: true,
+						NotPinnedDigest:             true,
+						RecommendedTag:              true,
+						Vulnerabilites:              true,
+					},
+				},
+			},
+		)
 	}
 	require.NoError(t, conn.Reply(context.Background(), request.ID, configurations))
 }

diff --git a/internal/bake/hcl/diagnosticsCollector.go b/internal/bake/hcl/diagnosticsCollector.go
@@ -147,7 +147,7 @@ func (c *BakeHCLDiagnosticsCollector) CollectDiagnostics(source, workspaceFolder
 							if templateExpr.IsStringLiteral() {
 								value, _ := templateExpr.Value(&hcl.EvalContext{})
 								target := value.AsString()
-								imageDiagnostics, err := c.scout.Analyze(target)
+								imageDiagnostics, err := c.scout.Analyze(protocol.DocumentUri(doc.URI()), target)
 								if err == nil {
 									for _, diagnostic := range imageDiagnostics {
 										if diagnostic.Kind == "critical_high_vulnerabilities" || diagnostic.Kind == "vulnerabilities" {

diff --git a/internal/configuration/configuration.go b/internal/configuration/configuration.go
@@ -26,6 +26,15 @@ type Configuration struct {
 type Experimental struct {
 	// docker.lsp.experimental.vulnerabilityScanning
 	VulnerabilityScanning bool `json:"vulnerabilityScanning"`
+	// docker.lsp.experimental.scout
+	Scout Scout `json:"scout"`
+}
+
+type Scout struct {
+	CriticalHighVulnerabilities bool `json:"criticalHighVulnerabilities"`
+	NotPinnedDigest             bool `json:"notPinnedDigest"`
+	RecommendedTag              bool `json:"recommendedTag"`
+	Vulnerabilites              bool `json:"vulnerabilites"`
 }
 
 var configurations = make(map[protocol.DocumentUri]Configuration)
@@ -34,6 +43,12 @@ var defaultConfiguration = Configuration{
 	Telemetry: TelemetrySettingAll,
 	Experimental: Experimental{
 		VulnerabilityScanning: true,
+		Scout: Scout{
+			CriticalHighVulnerabilities: true,
+			NotPinnedDigest:             true,
+			RecommendedTag:              true,
+			Vulnerabilites:              true,
+		},
 	},
 }
 

diff --git a/internal/pkg/server/hover.go b/internal/pkg/server/hover.go
@@ -29,7 +29,7 @@ func (s *Server) TextDocumentHover(ctx *glsp.Context, params *protocol.HoverPara
 	if ok {
 		instruction := dockerfileDocument.Instruction(params.Position)
 		if instruction != nil && strings.EqualFold(instruction.Value, "FROM") && instruction.Next != nil {
-			return s.scoutService.Hover(ctx.Context, instruction.Next.Value)
+			return s.scoutService.Hover(ctx.Context, params.TextDocument.URI, instruction.Next.Value)
 		}
 		return nil, nil
 	}

diff --git a/internal/scout/service.go b/internal/scout/service.go
@@ -14,8 +14,8 @@ import (
 
 type Service interface {
 	textdocument.DiagnosticsCollector
-	Analyze(image string) ([]Diagnostic, error)
-	Hover(ctx context.Context, image string) (*protocol.Hover, error)
+	Analyze(documentURI protocol.DocumentUri, image string) ([]Diagnostic, error)
+	Hover(ctx context.Context, documentURI protocol.DocumentUri, image string) (*protocol.Hover, error)
 }
 
 type ServiceImpl struct {
@@ -29,11 +29,21 @@ func NewService() Service {
 	}
 }
 
-func (s *ServiceImpl) Hover(ctx context.Context, image string) (*protocol.Hover, error) {
+func (s *ServiceImpl) Hover(ctx context.Context, documentURI protocol.DocumentUri, image string) (*protocol.Hover, error) {
+	config := configuration.Get(documentURI)
 	resp, err := s.manager.Get(&ScoutImageKey{Image: image})
 	if err == nil {
 		hovers := []string{}
 		for _, info := range resp.Infos {
+			if !config.Experimental.Scout.CriticalHighVulnerabilities && info.Kind == "critical_high_vulnerabilities" {
+				continue
+			}
+			if !config.Experimental.Scout.RecommendedTag && info.Kind == "recommended_tag" {
+				continue
+			}
+			if !config.Experimental.Scout.Vulnerabilites && info.Kind == "vulnerabilities" {
+				continue
+			}
 			hovers = append(hovers, info.Description.Markdown)
 		}
 
@@ -49,12 +59,34 @@ func (s *ServiceImpl) Hover(ctx context.Context, image string) (*protocol.Hover,
 	return nil, err
 }
 
-func (s *ServiceImpl) Analyze(image string) ([]Diagnostic, error) {
+func (s *ServiceImpl) Analyze(documentURI protocol.DocumentUri, image string) ([]Diagnostic, error) {
+	config := configuration.Get(documentURI)
+	if !config.Experimental.VulnerabilityScanning {
+		return nil, nil
+	}
+
 	resp, err := s.manager.Get(&ScoutImageKey{Image: image})
 	if err != nil {
 		return nil, err
 	}
-	return resp.Diagnostics, nil
+
+	diagnostics := make([]Diagnostic, len(resp.Diagnostics))
+	for _, diagnostic := range resp.Diagnostics {
+		if !config.Experimental.Scout.CriticalHighVulnerabilities && diagnostic.Kind == "critical_high_vulnerabilities" {
+			continue
+		}
+		if !config.Experimental.Scout.NotPinnedDigest && diagnostic.Kind == "not_pinned_digest" {
+			continue
+		}
+		if !config.Experimental.Scout.RecommendedTag && diagnostic.Kind == "recommended_tag" {
+			continue
+		}
+		if !config.Experimental.Scout.Vulnerabilites && diagnostic.Kind == "vulnerabilities" {
+			continue
+		}
+		diagnostics = append(diagnostics, diagnostic)
+	}
+	return diagnostics, nil
 }
 
 func (s *ServiceImpl) CalculateDiagnostics(ctx context.Context, source string, doc document.Document) ([]protocol.Diagnostic, error) {
@@ -80,6 +112,19 @@ func (s *ServiceImpl) CalculateDiagnostics(ctx context.Context, source string, d
 				}
 
 				for _, diagnostic := range resp.Diagnostics {
+					if !config.Experimental.Scout.CriticalHighVulnerabilities && diagnostic.Kind == "critical_high_vulnerabilities" {
+						continue
+					}
+					if !config.Experimental.Scout.NotPinnedDigest && diagnostic.Kind == "not_pinned_digest" {
+						continue
+					}
+					if !config.Experimental.Scout.RecommendedTag && diagnostic.Kind == "recommended_tag" {
+						continue
+					}
+					if !config.Experimental.Scout.Vulnerabilites && diagnostic.Kind == "vulnerabilities" {
+						continue
+					}
+
 					namedEdits := []types.NamedEdit{}
 					for _, edit := range resp.Edits {
 						if diagnostic.Kind == edit.Diagnostic {