docker scout cves
Early Access
Docker Scout is an early access product.
If you’re interested in Docker Scout for your organization and want to learn more, get in touch by filling out the contact form on the Docker Scout product page.
Display CVEs identified in a software artifact
Usage
$ docker scout cves [OPTIONS] IMAGE|DIRECTORY|ARCHIVE
Refer to the options section for an overview of available OPTIONS
for this command.
Description
The docker scout cves
command analyzes a software artifact for vulnerabilities.
The following artifact types are supported:
- Images
- OCI layout directories
- Tarball archives, as created by
docker save
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
redis
curlimages/curl:7.87.0
mcr.microsoft.com/dotnet/runtime:7.0
If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the --type
flag.
For example uses of this command, refer to the examples section below.
Options
Name, shorthand | Default | Description |
--details |
Print details on default text output | |
--exit-code , -e |
Return exit code ‘2’ if vulnerabilities are detected | |
--format |
packages |
Output format of the generated vulnerability report: - packages: default output, plain text with vulnerabilities grouped by packages - sarif: json Sarif output |
--ignore-base |
Filter out CVEs introduced from base image | |
--only-cve-id |
Comma separated list of CVE ids (like CVE-2021-45105) to search for | |
--only-fixed |
Filter to fixable CVEs | |
--only-package-type |
Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) | |
--only-severity |
Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by | |
--only-unfixed |
Filter to unfixed CVEs | |
--output , -o |
Write the report to a file. | |
--platform |
Platform of image to analyze | |
--ref |
Reference to use if the provided tarball contains multiple references. Can only be used with --type archive. | |
--type |
image |
Type of the image to analyze. Can be one of: - image - oci-dir - archive (docker save tarball) |
Examples
Display vulnerabilities grouped by package
$ docker scout cves alpine
Analyzing image alpine
✓ Image stored for indexing
✓ Indexed 18 packages
✓ No vulnerable package detected
Display vulnerabilities from a docker save
tarball
$ docker save alpine > alpine.tar
$ docker scout cves --type archive alpine.tar
Analyzing archive alpine.tar
✓ Archive read
✓ SBOM of image already cached, 18 packages indexed
✓ No vulnerable package detected
Display vulnerabilities from an OCI directory
$ skopeo copy --override-os linux docker://alpine oci:alpine
$ docker scout cves --type oci-dir alpine
Analyzing OCI directory alpine
✓ OCI directory read
✓ Image stored for indexing
✓ Indexed 19 packages
✓ No vulnerable package detected
Export vulnerabilities to a SARIF JSON file
$ docker scout cves --format sarif --output alpine.sarif.json alpine
Analyzing image alpine
✓ SBOM of image already cached, 18 packages indexed
✓ No vulnerable package detected
✓ Report written to alpine.sarif.json
Parent command
Command | Description |
---|---|
docker scout | Command line tool for Docker Scout |
Related commands
Command | Description |
docker scout compare | [experimental] Compare two images and display differences |
docker scout cves | Display CVEs identified in a software artifact |
docker scout quickview | Quick overview of an image |
docker scout recommendations | Display available base image updates and remediation recommendations |
docker scout version | Show Docker Scout version information |