Docker Scout: Find and Fix Image Vulnerabilities
Learn how to use Docker Scout to scan container images for CVEs, analyze software dependencies, and get actionable remediation advice directly from the CLI.
What you'll learn
- ✓How Docker Scout analyzes image vulnerabilities
- ✓Running vulnerability scans from the CLI and CI/CD
- ✓Understanding SBOM and CVE remediation recommendations
- ✓Integrating Scout into your development workflow
Prerequisites
- •Docker Desktop 4.17+ or Docker Scout CLI plugin
- •Familiarity with Docker images and Dockerfiles
Every container image you build inherits vulnerabilities from its base image, system packages, and application dependencies. Docker Scout is Docker’s built-in supply chain security tool that analyzes your images, generates a Software Bill of Materials (SBOM), and maps every component against known vulnerability databases. Unlike external scanners you have to install and configure separately, Scout is integrated directly into Docker Desktop and the CLI.
What Docker Scout Does
Docker Scout works by creating an SBOM for your image, which is a complete inventory of every package, library, and dependency inside the image. It then cross-references this inventory against multiple vulnerability databases including the National Vulnerability Database (NVD), GitHub Advisory Database, and vendor-specific feeds.
The key difference from tools like Trivy or Snyk is that Scout provides remediation recommendations, not just vulnerability lists. It tells you exactly which base image version or package upgrade will fix the most CVEs with the least effort.
Installing and Enabling Docker Scout
If you are running Docker Desktop 4.17 or later, Scout is already available. Verify with:
docker scout version
For Docker Engine without Desktop, install the CLI plugin:
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh
You need to log in to Docker Hub to use Scout’s full features:
docker login
Your First Vulnerability Scan
Scan any image, local or remote:
# Scan a local image
docker scout cves my-app:latest
# Scan a remote image from Docker Hub
docker scout cves nginx:1.25
# Scan with a specific output format
docker scout cves my-app:latest --format markdown
The output categorizes vulnerabilities by severity:
✗ HIGH CVE-2024-6197 curl 8.6.0-3
Fixed in: 8.6.0-4
https://scout.docker.com/v/CVE-2024-6197
✗ MEDIUM CVE-2024-2961 glibc 2.36-9+deb12u4
Fixed in: 2.36-9+deb12u7
https://scout.docker.com/v/CVE-2024-2961
✗ LOW CVE-2023-52425 expat 2.5.0-1
Fixed in: 2.5.0-1+deb12u1
Each entry shows the CVE identifier, the affected package and version, and the version that contains the fix.
Understanding the SBOM
Generate a full Software Bill of Materials:
docker scout sbom my-app:latest
For a machine-readable format compatible with standard SBOM tools:
docker scout sbom --format spdx my-app:latest > sbom.spdx.json
docker scout sbom --format cyclonedx my-app:latest > sbom.cdx.json
The SBOM lists every component in your image:
{
"name": "my-app",
"packages": [
{
"name": "express",
"version": "4.18.2",
"type": "npm"
},
{
"name": "openssl",
"version": "3.0.13",
"type": "deb"
}
]
}
This is valuable for compliance, auditing, and understanding exactly what ships in your production containers.
Getting Remediation Recommendations
The most powerful Scout feature is docker scout recommendations:
docker scout recommendations my-app:latest
This analyzes your image and suggests concrete actions:
Recommended fixes for image my-app:latest
Base image is node:20.11.0-bookworm-slim
✓ Update to node:20.15.0-bookworm-slim
- Fixes 12 vulnerabilities (3 high, 5 medium, 4 low)
- No breaking changes expected
○ Switch to node:20.15.0-alpine3.20
- Fixes 18 vulnerabilities (5 high, 7 medium, 6 low)
- Smaller image size (from 250MB to 180MB)
- May require additional Alpine packages
Scout ranks recommendations by impact, showing you which single change eliminates the most vulnerabilities.
Comparing Images
Compare vulnerability profiles between two versions of an image:
# Compare two tags
docker scout compare my-app:v2.0 --to my-app:v1.0
# Compare against a base image
docker scout compare my-app:latest --to node:20-alpine
The comparison output highlights new vulnerabilities introduced, vulnerabilities fixed, and unchanged issues:
Comparison: my-app:v2.0 vs my-app:v1.0
New vulnerabilities: 2 (0 critical, 1 high, 1 medium)
Fixed vulnerabilities: 8 (1 critical, 3 high, 4 medium)
Unchanged: 15
Image size: 245MB → 198MB (-19%)
This is extremely useful in pull request workflows to ensure new builds do not regress on security.
Scanning in CI/CD Pipelines
GitHub Actions
name: Docker Scout Scan
on:
pull_request:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build image
run: docker build -t my-app:${{ github.sha }} .
- name: Docker Scout Login
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Scan for vulnerabilities
uses: docker/scout-action@v1
with:
command: cves
image: my-app:${{ github.sha }}
only-severities: critical,high
exit-code: true # Fail the build on critical/high CVEs
- name: Compare with main
uses: docker/scout-action@v1
with:
command: compare
image: my-app:${{ github.sha }}
to: my-app:main
only-severities: critical,high
GitLab CI
scout-scan:
stage: security
image: docker:latest
services:
- docker:dind
variables:
DOCKER_TLS_CERTDIR: ""
script:
- docker login -u "$DOCKER_USER" -p "$DOCKER_PASS"
- docker build -t my-app:$CI_COMMIT_SHA .
- docker scout cves my-app:$CI_COMMIT_SHA --only-severity critical,high --exit-code
allow_failure: false
Setting Up Policy Evaluation
Docker Scout supports policy-based evaluation to enforce security standards across your organization:
# Evaluate against default policies
docker scout policy my-app:latest
Policies check conditions like:
- No critical vulnerabilities in the final image
- Base image is not end-of-life
- No high-severity vulnerabilities with available fixes
- SBOM contains no copyleft-licensed packages
The output shows pass/fail status for each policy:
Policy evaluation for my-app:latest
✓ No critical vulnerabilities with fixes
✗ Base image is up to date
Current: node:20.11.0 Latest: node:20.15.0
✓ No high-severity CVEs older than 30 days
✓ Supply chain attestation present
Filtering and Targeting Scans
Focus scans on what matters to your use case:
# Only show critical and high severity
docker scout cves my-app:latest --only-severity critical,high
# Filter by package type
docker scout cves my-app:latest --only-package-type npm
# Filter by fixable vulnerabilities only
docker scout cves my-app:latest --only-fixed
# Ignore specific CVEs (false positives or accepted risks)
docker scout cves my-app:latest --ignore-cve CVE-2024-1234,CVE-2024-5678
Reducing Vulnerabilities in Practice
Beyond scanning, here are practical patterns to minimize vulnerabilities found by Scout.
Use Minimal Base Images
# Instead of this (hundreds of CVEs from unused packages)
FROM node:20
# Use this (far fewer system packages)
FROM node:20-alpine
# Or this for the smallest surface
FROM gcr.io/distroless/nodejs20-debian12
Pin and Update Base Images Regularly
# Pin to a specific digest for reproducibility
FROM node:20.15.0-alpine3.20@sha256:abcdef123456...
# But update the pin regularly via automated PRs
Multi-Stage Builds to Exclude Build Tools
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:20-alpine AS production
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
COPY package.json .
USER node
EXPOSE 3000
CMD ["node", "dist/index.js"]
Build tools, compilers, and dev dependencies stay in the build stage and never appear in the final image that Scout scans.
Keep Dependencies Updated
# Check for outdated npm packages
npm outdated
# Update within semver ranges
npm update
# Rebuild and scan
docker build -t my-app:latest .
docker scout cves my-app:latest
Docker Scout vs Other Scanners
Docker Scout is not the only option. Here is how it compares:
| Feature | Docker Scout | Trivy | Snyk |
|---|---|---|---|
| Integration | Built into Docker CLI | Standalone binary | CLI + SaaS |
| SBOM generation | Yes (SPDX, CycloneDX) | Yes | Yes |
| Remediation advice | Yes (base image + packages) | Limited | Yes |
| Policy evaluation | Yes | OPA-based | Yes |
| Cost | Free tier + paid plans | Free (open source) | Free tier + paid |
| CI/CD integration | GitHub Actions, GitLab | All major CI systems | All major CI systems |
Scout’s advantage is zero-friction integration. If you already use Docker, there is nothing extra to install or configure. Its remediation recommendations are also more actionable than raw CVE lists.
Wrapping Up
Docker Scout turns vulnerability scanning from a chore into a natural part of your build process. Scan images with docker scout cves, get fix recommendations with docker scout recommendations, and compare builds with docker scout compare. Integrate it into CI/CD to catch regressions before they reach production. The combination of SBOM generation, actionable remediation advice, and policy evaluation makes Scout a practical default for container security that works without leaving the Docker ecosystem.
Related articles
- Docker Docker Security Scanning with Trivy
Use Trivy to find vulnerabilities in Docker images, Dockerfiles, and IaC before they reach production. Includes CI pipeline integration examples.
- Docker Docker tmpfs Mounts and In-Memory Storage
Use Docker tmpfs mounts to store sensitive or ephemeral data in memory, keeping it off disk and out of container layers entirely.
- Docker Docker Security Best Practices for Production
Harden Docker images and runtimes: non-root users, minimal bases, secret handling, capability drops, and image signing - without making developers miserable.
- Docker Docker vs Podman: Which Container Runtime to Use
Compare Docker and Podman on architecture, security, compatibility, and developer experience. Learn which container runtime fits your workflow in 2026.