Container Security with Docker Scout
What is Docker Scout?
Docker Scout is Docker's official container security tool, bundled with Docker Desktop 4.17 and later — no separate installation required.
It provides CVE scanning, SBOM generation, base image recommendations, and policy evaluation in one place, with native integration across the Docker ecosystem (Docker Hub, Docker Desktop, and Docker Build Cloud).
Docker Scout vs Trivy
SBOM and Vulnerability Scanning covers container scanning with Trivy. Here is how Docker Scout and Trivy compare:
| Docker Scout | Trivy | |
|---|---|---|
| Vendor | Docker (official) | Aqua Security (OSS) |
| Installation | Bundled with Docker Desktop | Separate install |
| Integration | Docker Hub · Desktop · Build Cloud | Broad CI/CD support |
| Policy evaluation | ✅ Docker Hub–based | ❌ |
| Base image suggestions | ✅ | ❌ |
| IaC scanning | ❌ | ✅ |
| Cost | Free (limited) to paid | OSS (free) |
Guidance: Use Docker Scout when your workflow centers on Docker Hub. Use Trivy for broad CI/CD integration. Combining both is common.
Setup
Docker Desktop (GUI)
Docker Desktop 4.17+ includes a Docker Scout tab. Select any local image to view scan results in the UI.
CLI verification
# Check version (bundled with Docker Desktop)
docker scout version
# Log in to Docker Hub (required for policy evaluation and remote scanning)
docker login
Standalone install (CI environments)
# Linux / macOS
curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh
# Verify
docker scout version
Core Commands
quickview — Instant summary
Get an at-a-glance security overview of an image.
docker scout quickview myapp:latest
# Scan a Docker Hub image directly (no local build required)
docker scout quickview docker/scout-demo-service:latest
Sample output:
Your image myapp:latest
Base image mcr.microsoft.com/dotnet/aspnet:8.0-alpine
Vulnerabilities
0C 0H 2M 5L myapp:latest
0C 0H 1M 4L mcr.microsoft.com/dotnet/aspnet:8.0-alpine
Policy status FAILED (2/5 policies met)
cves — Detailed CVE listing
# List all CVEs
docker scout cves myapp:latest
# Filter to CRITICAL and HIGH only
docker scout cves --only-severity critical,high myapp:latest
# Filter by package name
docker scout cves --only-package openssl myapp:latest
# JSON output (for CI/CD integration)
docker scout cves --format json --output cves.json myapp:latest
# SARIF output (for GitHub Security tab)
docker scout cves --format sarif --output cves.sarif myapp:latest
Sample output (excerpt):
✗ HIGH CVE-2024-2511
openssl 3.1.4
https://www.cve.org/CVERecord?id=CVE-2024-2511
Fixed version: 3.1.5
recommendations — Base image suggestions
One of Scout's standout features is suggesting safer base image alternatives.
docker scout recommendations myapp:latest
Sample output:
Base image mcr.microsoft.com/dotnet/aspnet:8.0
Recommended updates
Tag Vulnerabilities Size
8.0-alpine 0C 0H 1M 3L ↓ 50MB smaller
8.0.x-alpine 0C 0H 1M 3L Pinned digest
→ Switch to 8.0-alpine to reduce vulnerabilities and image size
Combine this with Docker Hardened Images with .NET to plan a migration toward zero-CVE base images.
sbom — SBOM generation and inspection
# Print SBOM to stdout (SPDX JSON)
docker scout sbom myapp:latest
# Write to file (CycloneDX JSON)
docker scout sbom --format cyclonedx --output sbom.json myapp:latest
# Scan an existing SBOM file for CVEs
docker scout cves sbom://sbom.json
For SBOM format details, see SBOM and Vulnerability Scanning.
compare — Diff between image versions
Compare security state before and after an image update.
# Compare two tags
docker scout compare myapp:v1.0 myapp:v1.1
# Compare a feature branch image against main
docker scout compare --to myapp:latest myapp:feature-branch
# Show only CVEs that have been fixed
docker scout compare --only-fixed myapp:v1.0 myapp:v1.1
Policy Evaluation
Policy evaluation integrates with Docker Hub to enforce organization-wide security standards.
Built-in policies
| Policy | Description |
|---|---|
| No CRITICAL vulnerabilities | No CVEs rated CRITICAL |
| No fixable HIGH or CRITICAL | No fixable HIGH/CRITICAL CVEs |
| No unapproved base images | Only approved base images used |
| No outdated base images | Base image is up to date |
| Supply chain attestations | SBOM and provenance attestations attached |
# Check policy evaluation results
docker scout policy myapp:latest
Sample output:
Policy status FAILED (3/5 policies met)
✓ No CRITICAL vulnerabilities
✓ No fixable HIGH or CRITICAL
✗ No unapproved base images (base image not in allowed list)
✗ Supply chain attestations (SBOM attestation missing)
✓ No outdated base images
Attaching attestations at build time
To satisfy the Supply chain attestations policy, attach SBOM and provenance during the build.
# Build with SBOM + Provenance using BuildKit
docker buildx build \
--sbom=true \
--provenance=mode=max \
--tag myapp:latest \
--push \
.
Docker Build Cloud produces Provenance-attested builds by default, making this policy easy to meet.
GitHub Actions Integration
The docker/scout-action action posts scan results as Pull Request comments and uploads SARIF to the GitHub Security tab.
name: Docker Scout Scan
on:
push:
branches: [main]
pull_request:
jobs:
scout:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write # required for PR comments
security-events: write # required for SARIF upload
steps:
- uses: actions/checkout@v4
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Docker Scout CVE scan
uses: docker/scout-action@v1
with:
command: cves
image: myapp:${{ github.sha }}
sarif-file: cves.sarif
only-severities: critical,high
exit-code: true # fail the job if CRITICAL/HIGH found
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: cves.sarif
- name: Post base image recommendations to PR
if: github.event_name == 'pull_request'
uses: docker/scout-action@v1
with:
command: recommendations
image: myapp:${{ github.sha }}
to: myapp:latest
github-token: ${{ secrets.GITHUB_TOKEN }}
Posting a diff comparison as a PR comment
- name: Compare with main and comment on PR
if: github.event_name == 'pull_request'
uses: docker/scout-action@v1
with:
command: compare
image: myapp:${{ github.sha }}
to: myapp:latest
only-severities: critical,high
github-token: ${{ secrets.GITHUB_TOKEN }}
For GitHub Actions fundamentals, see GitHub Actions and Workflow Basics.
Using Docker Scout with .NET Projects
Base image selection flow
Integrated .NET + Docker Scout workflow
Scanning at both the application layer (NuGet) and the container layer (OS packages) provides full supply chain coverage.
jobs:
build-and-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.x'
- name: Application layer scan (NuGet vulnerability check)
run: dotnet list package --vulnerable --include-transitive
- name: Build Docker image with SBOM and Provenance
uses: docker/build-push-action@v6
with:
push: false
tags: myapp:${{ github.sha }}
sbom: true
provenance: mode=max
- name: Container layer scan (Docker Scout)
uses: docker/scout-action@v1
with:
command: cves
image: myapp:${{ github.sha }}
only-severities: critical,high
exit-code: true
Tool Selection Summary
| Target | Recommended tool | Reference |
|---|---|---|
| NuGet / npm packages | dotnet list package --vulnerable · npm audit | SBOM and Vulnerability Scanning |
| Container image (Docker Hub workflow) | Docker Scout | This document |
| Container image (generic CI) | Trivy | SBOM and Vulnerability Scanning |
| Dockerfile / K8s YAML | Trivy config · Checkov | DevSecOps and Static Security Scanning |
| Minimizing base image attack surface | Docker Hardened Images | Docker Hardened Images with .NET |