docker scout cves
Docker Scout is an early access product.
If you’re interested in Docker Scout for your organization and want to learn more, get in touch by filling out the contact form on the Docker Scout product page.
Display CVEs identified in a software artifact
$ docker scout cves [OPTIONS] IMAGE|DIRECTORY|ARCHIVE
Refer to the options section for an overview of available
OPTIONS for this command.
docker scout cves command analyzes a software artifact for vulnerabilities.
The following artifact types are supported:
- OCI layout directories
- Tarball archives, as created by
The tool analyzes the provided software artifact, and generates a vulnerability report.
By default, the tool expects an image reference, such as:
If the artifact you want to analyze is an OCI directory or a tarball archive, you must use the
For example uses of this command, refer to the examples section below.
||Print details on default text output|
||Return exit code ‘2’ if vulnerabilities are detected|
||Output format of the generated vulnerability report: - packages: default output, plain text with vulnerabilities grouped by packages - sarif: json Sarif output|
||Filter out CVEs introduced from base image|
||Comma separated list of CVE ids (like CVE-2021-45105) to search for|
||Filter to fixable CVEs|
||Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)|
||Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by|
||Filter to unfixed CVEs|
||Write the report to a file.|
||Platform of image to analyze|
||Reference to use if the provided tarball contains multiple references. Can only be used with --type archive.|
||Type of the image to analyze. Can be one of: - image - oci-dir - archive (docker save tarball)|
Display vulnerabilities grouped by package
$ docker scout cves alpine Analyzing image alpine ✓ Image stored for indexing ✓ Indexed 18 packages ✓ No vulnerable package detected
Display vulnerabilities from a
docker save tarball
$ docker save alpine > alpine.tar $ docker scout cves --type archive alpine.tar Analyzing archive alpine.tar ✓ Archive read ✓ SBOM of image already cached, 18 packages indexed ✓ No vulnerable package detected
Display vulnerabilities from an OCI directory
$ skopeo copy --override-os linux docker://alpine oci:alpine $ docker scout cves --type oci-dir alpine Analyzing OCI directory alpine ✓ OCI directory read ✓ Image stored for indexing ✓ Indexed 19 packages ✓ No vulnerable package detected
Export vulnerabilities to a SARIF JSON file
$ docker scout cves --format sarif --output alpine.sarif.json alpine Analyzing image alpine ✓ SBOM of image already cached, 18 packages indexed ✓ No vulnerable package detected ✓ Report written to alpine.sarif.json
|docker scout||Command line tool for Docker Scout|
|docker scout compare||[experimental] Compare two images and display differences|
|docker scout cves||Display CVEs identified in a software artifact|
|docker scout quickview||Quick overview of an image|
|docker scout recommendations||Display available base image updates and remediation recommendations|
|docker scout version||Show Docker Scout version information|