SecurityIntermediate

Docker Scout Cheatsheet

Q: Need to log in for analysis

Authenticate with Docker. Command: docker login

Q: Results differ from registry view

Force a fresh analysis on the local image. Command: docker scout cves --refresh

Analyze images for CVEs, generate SBOMs, and enforce supply-chain policy.

What it is

Use Scout to quickly understand the security posture of an image, see actionable upgrade recommendations, generate an SBOM, and gate builds against policies.

Installation

Bundled with Docker Desktop. For Linux/CI install the CLI plugin from the docker/scout-cli releases or via the install script in the docs.

Quick start

docker scout quickview <image>

One-page security summary.

docker scout cves <image>

List CVEs by severity.

docker scout recommendations <image>

Suggested base-image upgrades.

docker scout sbom <image>

Generate a Software Bill of Materials.

Common commands

Task	Command	Description
Quick overview	`docker scout quickview <image>`	Top-line vuln counts and base image info.
List CVEs	`docker scout cves <image>`	Filterable list of vulnerabilities.
Get recommendations	`docker scout recommendations <image>`	Suggests safer base images / tags.
Generate SBOM	`docker scout sbom <image>`	Outputs SPDX or CycloneDX.
Evaluate policies	`docker scout policy <image>`	Check image against org policies.
Enroll a repo	`docker scout repo enable <org>/<repo>`	Enable Scout tracking on a Hub repo.
Manage integrations	`docker scout integration list`	List configured integrations (GitHub, registries, etc.).
Attach a VEX statement	`docker scout vex create --product pkg:docker/me/app@1.0 ...`	Mark a CVE as not_affected with justification.

Useful flags

Flag	Example	Meaning
--only-severity	`docker scout cves --only-severity critical,high <image>`	Filter CVE output by severity.
--only-fixed	`docker scout cves --only-fixed <image>`	Only show CVEs that have a fix available.
--format	`docker scout sbom --format spdx <image>`	Output format (sbom: spdx\|cyclonedx\|list).
--output	`docker scout sbom -o sbom.json <image>`	Write to a file.
--exit-code	`docker scout cves --exit-code --only-severity critical <image>`	Non-zero exit when matches found — handy in CI.

Real-world examples

Fail CI on any new critical CVE

docker scout cves --exit-code --only-severity critical --only-fixed me/app:${TAG}

Compare your image to a recommended base

docker scout compare --to me/app:prod me/app:candidate

Export SBOM as CycloneDX

docker scout sbom --format cyclonedx -o sbom.cdx.json me/app:1.0

Best practices

Run `docker scout quickview` locally before every push.
Gate PRs in CI with `docker scout cves --exit-code --only-severity critical,high --only-fixed`.
Enroll production repos so Scout tracks new CVEs against pushed tags automatically.
Use VEX to document non-applicable CVEs instead of suppressing scanner output.

Troubleshooting

`docker scout: command not found`

Install the CLI plugin or update Docker Desktop.

Need to log in for analysis

Authenticate with Docker.

docker login

Results differ from registry view

Force a fresh analysis on the local image.

docker scout cves --refresh <image>

Official Docker Docs references

Last reviewed: 2026-06-15