docker scout cves

Early Access

Docker Scout is an early access product.

If you’re interested in Docker Scout for your organization and want to learn more, get in touch by filling out the contact form on the Docker Scout product page.

Display CVEs identified in a software artifact



Refer to the options section for an overview of available OPTIONS for this command.


The docker scout cves command analyzes a software artifact for vulnerabilities. The following artifact types are supported:

  • Images
  • OCI layout directories
  • Tarball archives, as created by docker save

The tool analyzes the provided software artifact, and generates a vulnerability report.

By default, the tool expects an image reference, such as:

  • redis
  • curlimages/curl:7.87.0

If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type flag.

For example uses of this command, refer to the examples section below.


Name, shorthand Default Description
--details Print details on default text output
--exit-code , -e Return exit code ‘2’ if vulnerabilities are detected
--format packages Output format of the generated vulnerability report: - packages: default output, plain text with vulnerabilities grouped by packages - sarif: json Sarif output
--ignore-base Filter out CVEs introduced from base image
--only-cve-id Comma separated list of CVE ids (like CVE-2021-45105) to search for
--only-fixed Filter to fixable CVEs
--only-package-type Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
--only-severity Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
--only-unfixed Filter to unfixed CVEs
--output , -o Write the report to a file.
--platform Platform of image to analyze
--ref Reference to use if the provided tarball contains multiple references. Can only be used with --type archive.
--type image Type of the image to analyze. Can be one of: - image - oci-dir - archive (docker save tarball)


Display vulnerabilities grouped by package

$ docker scout cves alpine
Analyzing image alpine
    ✓ Image stored for indexing
    ✓ Indexed 18 packages
    ✓ No vulnerable package detected

Display vulnerabilities from a docker save tarball

$ docker save alpine > alpine.tar

$ docker scout cves --type archive alpine.tar
Analyzing archive alpine.tar
    ✓ Archive read
    ✓ SBOM of image already cached, 18 packages indexed
    ✓ No vulnerable package detected

Display vulnerabilities from an OCI directory

$ skopeo copy --override-os linux docker://alpine oci:alpine

$ docker scout cves --type oci-dir alpine
Analyzing OCI directory alpine
    ✓ OCI directory read
    ✓ Image stored for indexing
    ✓ Indexed 19 packages
    ✓ No vulnerable package detected

Export vulnerabilities to a SARIF JSON file

$ docker scout cves --format sarif --output alpine.sarif.json alpine
Analyzing image alpine
    ✓ SBOM of image already cached, 18 packages indexed
    ✓ No vulnerable package detected
    ✓ Report written to alpine.sarif.json

Parent command

Command Description
docker scout Command line tool for Docker Scout
Command Description
docker scout compare [experimental] Compare two images and display differences
docker scout cves Display CVEs identified in a software artifact
docker scout quickview Quick overview of an image
docker scout recommendations Display available base image updates and remediation recommendations
docker scout version Show Docker Scout version information