Skip to content
Codeloom
Docker

Docker Scout: Find and Fix Image Vulnerabilities

Learn how to use Docker Scout to scan container images for CVEs, analyze software dependencies, and get actionable remediation advice directly from the CLI.

·7 min read · By Codeloom
Intermediate 14 min read

What you'll learn

  • How Docker Scout analyzes image vulnerabilities
  • Running vulnerability scans from the CLI and CI/CD
  • Understanding SBOM and CVE remediation recommendations
  • Integrating Scout into your development workflow

Prerequisites

  • Docker Desktop 4.17+ or Docker Scout CLI plugin
  • Familiarity with Docker images and Dockerfiles

Every container image you build inherits vulnerabilities from its base image, system packages, and application dependencies. Docker Scout is Docker’s built-in supply chain security tool that analyzes your images, generates a Software Bill of Materials (SBOM), and maps every component against known vulnerability databases. Unlike external scanners you have to install and configure separately, Scout is integrated directly into Docker Desktop and the CLI.

What Docker Scout Does

Docker Scout works by creating an SBOM for your image, which is a complete inventory of every package, library, and dependency inside the image. It then cross-references this inventory against multiple vulnerability databases including the National Vulnerability Database (NVD), GitHub Advisory Database, and vendor-specific feeds.

The key difference from tools like Trivy or Snyk is that Scout provides remediation recommendations, not just vulnerability lists. It tells you exactly which base image version or package upgrade will fix the most CVEs with the least effort.

Installing and Enabling Docker Scout

If you are running Docker Desktop 4.17 or later, Scout is already available. Verify with:

docker scout version

For Docker Engine without Desktop, install the CLI plugin:

curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh

You need to log in to Docker Hub to use Scout’s full features:

docker login

Your First Vulnerability Scan

Scan any image, local or remote:

# Scan a local image
docker scout cves my-app:latest

# Scan a remote image from Docker Hub
docker scout cves nginx:1.25

# Scan with a specific output format
docker scout cves my-app:latest --format markdown

The output categorizes vulnerabilities by severity:

    ✗ HIGH     CVE-2024-6197  curl 8.6.0-3
      Fixed in: 8.6.0-4
      https://scout.docker.com/v/CVE-2024-6197

    ✗ MEDIUM   CVE-2024-2961  glibc 2.36-9+deb12u4
      Fixed in: 2.36-9+deb12u7
      https://scout.docker.com/v/CVE-2024-2961

    ✗ LOW      CVE-2023-52425 expat 2.5.0-1
      Fixed in: 2.5.0-1+deb12u1

Each entry shows the CVE identifier, the affected package and version, and the version that contains the fix.

Understanding the SBOM

Generate a full Software Bill of Materials:

docker scout sbom my-app:latest

For a machine-readable format compatible with standard SBOM tools:

docker scout sbom --format spdx my-app:latest > sbom.spdx.json
docker scout sbom --format cyclonedx my-app:latest > sbom.cdx.json

The SBOM lists every component in your image:

{
  "name": "my-app",
  "packages": [
    {
      "name": "express",
      "version": "4.18.2",
      "type": "npm"
    },
    {
      "name": "openssl",
      "version": "3.0.13",
      "type": "deb"
    }
  ]
}

This is valuable for compliance, auditing, and understanding exactly what ships in your production containers.

Getting Remediation Recommendations

The most powerful Scout feature is docker scout recommendations:

docker scout recommendations my-app:latest

This analyzes your image and suggests concrete actions:

Recommended fixes for image my-app:latest

  Base image is node:20.11.0-bookworm-slim
  
  ✓ Update to node:20.15.0-bookworm-slim
    - Fixes 12 vulnerabilities (3 high, 5 medium, 4 low)
    - No breaking changes expected
    
  ○ Switch to node:20.15.0-alpine3.20
    - Fixes 18 vulnerabilities (5 high, 7 medium, 6 low)
    - Smaller image size (from 250MB to 180MB)
    - May require additional Alpine packages

Scout ranks recommendations by impact, showing you which single change eliminates the most vulnerabilities.

Comparing Images

Compare vulnerability profiles between two versions of an image:

# Compare two tags
docker scout compare my-app:v2.0 --to my-app:v1.0

# Compare against a base image
docker scout compare my-app:latest --to node:20-alpine

The comparison output highlights new vulnerabilities introduced, vulnerabilities fixed, and unchanged issues:

  Comparison: my-app:v2.0 vs my-app:v1.0

  New vulnerabilities:      2 (0 critical, 1 high, 1 medium)
  Fixed vulnerabilities:    8 (1 critical, 3 high, 4 medium)
  Unchanged:               15

  Image size: 245MB → 198MB (-19%)

This is extremely useful in pull request workflows to ensure new builds do not regress on security.

Scanning in CI/CD Pipelines

GitHub Actions

name: Docker Scout Scan

on:
  pull_request:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t my-app:${{ github.sha }} .

      - name: Docker Scout Login
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Scan for vulnerabilities
        uses: docker/scout-action@v1
        with:
          command: cves
          image: my-app:${{ github.sha }}
          only-severities: critical,high
          exit-code: true  # Fail the build on critical/high CVEs

      - name: Compare with main
        uses: docker/scout-action@v1
        with:
          command: compare
          image: my-app:${{ github.sha }}
          to: my-app:main
          only-severities: critical,high

GitLab CI

scout-scan:
  stage: security
  image: docker:latest
  services:
    - docker:dind
  variables:
    DOCKER_TLS_CERTDIR: ""
  script:
    - docker login -u "$DOCKER_USER" -p "$DOCKER_PASS"
    - docker build -t my-app:$CI_COMMIT_SHA .
    - docker scout cves my-app:$CI_COMMIT_SHA --only-severity critical,high --exit-code
  allow_failure: false

Setting Up Policy Evaluation

Docker Scout supports policy-based evaluation to enforce security standards across your organization:

# Evaluate against default policies
docker scout policy my-app:latest

Policies check conditions like:

  • No critical vulnerabilities in the final image
  • Base image is not end-of-life
  • No high-severity vulnerabilities with available fixes
  • SBOM contains no copyleft-licensed packages

The output shows pass/fail status for each policy:

  Policy evaluation for my-app:latest

  ✓ No critical vulnerabilities with fixes
  ✗ Base image is up to date
    Current: node:20.11.0   Latest: node:20.15.0
  ✓ No high-severity CVEs older than 30 days
  ✓ Supply chain attestation present

Filtering and Targeting Scans

Focus scans on what matters to your use case:

# Only show critical and high severity
docker scout cves my-app:latest --only-severity critical,high

# Filter by package type
docker scout cves my-app:latest --only-package-type npm

# Filter by fixable vulnerabilities only
docker scout cves my-app:latest --only-fixed

# Ignore specific CVEs (false positives or accepted risks)
docker scout cves my-app:latest --ignore-cve CVE-2024-1234,CVE-2024-5678

Reducing Vulnerabilities in Practice

Beyond scanning, here are practical patterns to minimize vulnerabilities found by Scout.

Use Minimal Base Images

# Instead of this (hundreds of CVEs from unused packages)
FROM node:20

# Use this (far fewer system packages)
FROM node:20-alpine

# Or this for the smallest surface
FROM gcr.io/distroless/nodejs20-debian12

Pin and Update Base Images Regularly

# Pin to a specific digest for reproducibility
FROM node:20.15.0-alpine3.20@sha256:abcdef123456...

# But update the pin regularly via automated PRs

Multi-Stage Builds to Exclude Build Tools

FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM node:20-alpine AS production
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
COPY package.json .
USER node
EXPOSE 3000
CMD ["node", "dist/index.js"]

Build tools, compilers, and dev dependencies stay in the build stage and never appear in the final image that Scout scans.

Keep Dependencies Updated

# Check for outdated npm packages
npm outdated

# Update within semver ranges
npm update

# Rebuild and scan
docker build -t my-app:latest .
docker scout cves my-app:latest

Docker Scout vs Other Scanners

Docker Scout is not the only option. Here is how it compares:

FeatureDocker ScoutTrivySnyk
IntegrationBuilt into Docker CLIStandalone binaryCLI + SaaS
SBOM generationYes (SPDX, CycloneDX)YesYes
Remediation adviceYes (base image + packages)LimitedYes
Policy evaluationYesOPA-basedYes
CostFree tier + paid plansFree (open source)Free tier + paid
CI/CD integrationGitHub Actions, GitLabAll major CI systemsAll major CI systems

Scout’s advantage is zero-friction integration. If you already use Docker, there is nothing extra to install or configure. Its remediation recommendations are also more actionable than raw CVE lists.

Wrapping Up

Docker Scout turns vulnerability scanning from a chore into a natural part of your build process. Scan images with docker scout cves, get fix recommendations with docker scout recommendations, and compare builds with docker scout compare. Integrate it into CI/CD to catch regressions before they reach production. The combination of SBOM generation, actionable remediation advice, and policy evaluation makes Scout a practical default for container security that works without leaving the Docker ecosystem.