Skip to content
Latchkey

docker sbom & scout: Image SBOM and CVE Scanning

Generate an SBOM and scan images for known vulnerabilities.

docker sbom lists the software bill of materials for an image; docker scout cves scans for known vulnerabilities. This page covers both and how they replaced docker scan.

What it does

docker sbom (Syft-based) enumerates the packages in an image. docker scout cves analyzes an image against vulnerability databases and reports CVEs. Together they answer "what is in this image and is it vulnerable?" - the modern successor to the deprecated docker scan (Snyk).

Common usage

Terminal
docker sbom myapp:latest
docker scout cves myapp:latest
docker scout quickview myapp:latest
docker scout cves --exit-code --only-severity critical,high myapp:latest

Common errors in CI

"docker: 'scout' is not a docker command" means the Scout plugin is not installed on the runner - install docker/scout-cli or use the docker/scout-action. The old docker scan command is deprecated and removed; migrate to docker scout. Use docker scout cves --exit-code with --only-severity to fail a CI job on critical/high CVEs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →