Skip to content
Latchkey

Docker Scout "cves" policy fail in CI

docker scout cves --exit-code --only-severity critical,high returns non-zero when the image has CVEs at those levels. The failure is the gate working; Scout lists the affected packages and, where available, the base-image recommendation to remediate them.

What this error means

The Docker Scout step lists CVEs by severity and exits non-zero, stopping the pipeline. Without --exit-code, the same findings print but the step stays green.

Docker Scout
## Overview
Analyzed Image
  Target  myimage:latest
  vulnerabilities  critical: 1  high: 2  medium: 3

## Packages and Vulnerabilities
  1C  2H  libssl3 3.0.11-1
  CVE-2024-XXXX  CRITICAL
# docker scout exits 1 due to --exit-code

Common causes

The image has CVEs at the selected severities

You passed --only-severity critical,high --exit-code, and matching CVEs exist, so Scout returns non-zero by design.

A stale base image carries most of the CVEs

Scout's recommendations usually point at a newer base tag; the current one predates the fixes.

How to fix it

Apply the recommendation, then rescan

  1. Run docker scout recommendations to see the suggested base bump.
  2. Update the Dockerfile base tag and rebuild.
  3. Re-run docker scout cves --exit-code to confirm it passes.
Terminal
docker scout cves myimage:latest \
  --only-severity critical,high --exit-code

Suppress reviewed CVEs via a policy exception

For an unfixable CVE, record an exception with justification rather than removing the severity filter.

Terminal
docker scout cves myimage:latest \
  --only-severity critical,high --exit-code --ignore-base

How to prevent it

  • Keep --exit-code so the gate actually blocks bad images.
  • Bump the base image on Scout recommendations to clear CVEs.
  • Track exceptions rather than widening the severity filter.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →