docker sbom & scout: Image SBOM and CVE Scanning
Generate an SBOM and scan images for known vulnerabilities.
docker sbom lists the software bill of materials for an image; docker scout cves scans for known vulnerabilities. This page covers both and how they replaced docker scan.
What it does
docker sbom (Syft-based) enumerates the packages in an image. docker scout cves analyzes an image against vulnerability databases and reports CVEs. Together they answer "what is in this image and is it vulnerable?" - the modern successor to the deprecated docker scan (Snyk).
Common usage
docker sbom myapp:latest
docker scout cves myapp:latest
docker scout quickview myapp:latest
docker scout cves --exit-code --only-severity critical,high myapp:latestCommon errors in CI
"docker: 'scout' is not a docker command" means the Scout plugin is not installed on the runner - install docker/scout-cli or use the docker/scout-action. The old docker scan command is deprecated and removed; migrate to docker scout. Use docker scout cves --exit-code with --only-severity to fail a CI job on critical/high CVEs.