Skip to content
Latchkey

docker scout and docker scan Command Reference

Scan images for known vulnerabilities.

docker scout is the current image vulnerability tool; docker scan (Snyk-based) is deprecated and removed from recent Docker versions. In CI, scout analyzes an image against CVE databases and can fail the build when severe vulnerabilities are found.

Common subcommands and flags

  • docker scout cves IMAGE - list CVEs affecting the image
  • docker scout quickview IMAGE - summary of vulnerabilities by severity
  • docker scout compare --to BASE IMAGE - diff vulnerabilities against a baseline
  • --exit-code - return non-zero when issues are found
  • --only-severity - limit to severities, e.g. critical,high

Example

shell
docker scout cves --only-severity critical,high --exit-code myorg/app:${{ github.sha }}

In CI

Run docker scout cves with --exit-code and --only-severity critical,high as a gate that fails the pipeline on serious CVEs. Prefer scout over the legacy docker scan, which is no longer bundled with Docker. Use scout compare to block PRs that add vulnerabilities relative to the base branch.

Key takeaways

  • docker scout replaces the deprecated, removed docker scan.
  • --exit-code turns scout into a hard CI gate on vulnerabilities.
  • scout compare flags newly introduced CVEs versus a baseline image.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →