Docker Scout "cves" policy fail in CI
docker scout cves --exit-code --only-severity critical,high returns non-zero when the image has CVEs at those levels. The failure is the gate working; Scout lists the affected packages and, where available, the base-image recommendation to remediate them.
What this error means
The Docker Scout step lists CVEs by severity and exits non-zero, stopping the pipeline. Without --exit-code, the same findings print but the step stays green.
## Overview
Analyzed Image
Target myimage:latest
vulnerabilities critical: 1 high: 2 medium: 3
## Packages and Vulnerabilities
1C 2H libssl3 3.0.11-1
CVE-2024-XXXX CRITICAL
# docker scout exits 1 due to --exit-codeCommon causes
The image has CVEs at the selected severities
You passed --only-severity critical,high --exit-code, and matching CVEs exist, so Scout returns non-zero by design.
A stale base image carries most of the CVEs
Scout's recommendations usually point at a newer base tag; the current one predates the fixes.
How to fix it
Apply the recommendation, then rescan
- Run
docker scout recommendationsto see the suggested base bump. - Update the Dockerfile base tag and rebuild.
- Re-run
docker scout cves --exit-codeto confirm it passes.
docker scout cves myimage:latest \
--only-severity critical,high --exit-codeSuppress reviewed CVEs via a policy exception
For an unfixable CVE, record an exception with justification rather than removing the severity filter.
docker scout cves myimage:latest \
--only-severity critical,high --exit-code --ignore-baseHow to prevent it
- Keep --exit-code so the gate actually blocks bad images.
- Bump the base image on Scout recommendations to clear CVEs.
- Track exceptions rather than widening the severity filter.