Merge pull request #20792 from dvdksn/scout-org-policy-scores

scout: scores now based on org policy config

Author: dvdksn

content/manuals/scout/policy/scores.md

@@ -51,18 +51,32 @@ along with each policy that contributed to the score.
 
 ## Scoring system
 
-Health scores are determined by evaluating images against a set of Docker Scout
+Health scores are determined by evaluating images against Docker Scout
 [policies](./_index.md). These policies align with best practices for
 the software supply chain and are recommended by Docker as foundational
-standards for images.
+standards for images. Some examples of these policies include:
+
+- **Supply chain attestations**: Images should have supply chain attestations.
+- **No outdated base images**: Images should not use outdated base images.
+- **No AGPL v3 licenses**: Images should not contain AGPL v3-licensed packages.
+
+If your image repositories are already enrolled with Docker Scout, the health
+score is calculated automatically based on the policies that are enabled for
+your organization. This also includes any custom policies that you have
+configured.
+
+If you're not using Docker Scout, the health scores show the compliance of your
+images with the default, [out-of-the-box policies](/manuals/scout/policy/_index.md#out-of-the-box-policies).
+You can enable Docker Scout for your organization to get a more relevant health
+score based on your specific policies.
+
+### Scoring process
 
 Each policy is assigned a points value. If the image is compliant with a
 policy, it is awarded the points value for that policy. The health score of an
 image is calculated based on the percentage of points achieved relative to the
 total possible points.
 
-### Scoring process
-
 1. Policy compliance is evaluated for the image.
 2. Points are awarded based on adherence to these policies.
 3. The points achieved percentage is calculated:
@@ -102,15 +116,18 @@ If you see an `N/A` score, consider the following:
 
 The policies that influence the score, and their respective weights, are as follows:
 
-| Policy                                                                                                     | Points |
-| ---------------------------------------------------------------------------------------------------------- | ------ |
-| [No fixable critical or high vulnerabilities](/scout/policy#no-fixable-critical-or-high-vulnerabilities)   | 20     |
-| [No high-profile vulnerabilities](/scout/policy#no-high-profile-vulnerabilities)                           | 20     |
-| [Supply chain attestations](/scout/policy#supply-chain-attestations)                                       | 15     |
-| [No unapproved base images](/scout/policy/#no-unapproved-base-images)                                      | 15     |
-| [No outdated base images](/scout/policy#no-outdated-base-images)                                           | 10     |
-| [Default non-root user](/scout/policy#default-non-root-user)                                               | 5      |
-| [No AGPL v3 licenses](/manuals/scout/policy/_index.md#no-agpl-v3-licenses)                                         | 5      |
+| Policy                                                                                                                     | Points |
+| -------------------------------------------------------------------------------------------------------------------------- | ------ |
+| [No fixable critical or high vulnerabilities](/manuals/scout/policy/_index.md#no-fixable-critical-or-high-vulnerabilities) | 20     |
+| [No high-profile vulnerabilities](/manuals/scout/policy/_index.md#no-high-profile-vulnerabilities)                         | 20     |
+| [Supply chain attestations](/manuals/scout/policy/_index.md#supply-chain-attestations)                                     | 15     |
+| [No unapproved base images](/manuals/scout/policy/_index.md#no-unapproved-base-images)                                     | 15     |
+| [No outdated base images](/manuals/scout/policy/_index.md#no-outdated-base-images)                                         | 10     |
+| [SonarQube quality gates passed](/manuals/scout/policy/_index.md#sonarqube-quality-gates-passed) \*                        | 10     |
+| [Default non-root user](/manuals/scout/policy/_index.md#default-non-root-user)                                             | 5      |
+| [No AGPL v3 licenses](/manuals/scout/policy/_index.md#no-agpl-v3-licenses)                                                 | 5      |
+
+\* _This policy is not enabled by default and must be configured by the user._
 
 ### Evaluation
 

content/manuals/scout/release-notes/platform.md

@@ -20,6 +20,19 @@ for what's coming next.
 
 New features and enhancements released in the third quarter of 2024.
 
+### 2024-09-05
+
+This release changes how [health scores](/manuals/scout/policy/scores.md) are
+calculated in Docker Scout. The health score calculation now considers optional
+and custom policies that you have configured for your organization.
+
+This means that if you have enabled, disabled, or customized any of the default
+policies, Docker Scout will now take those policies into account when
+calculating the health score for your organization's images.
+
+If you haven't yet enabled Docker Scout for your organization, the health score
+calculation will be based on the out-of-the-box policies.
+
 ### 2024-08-13
 
 This release changes the out-of-the-box policies to align with the policy