docker scout compare

DescriptionCompare two images and display differences (experimental)
docker scout diff

This command is experimental

Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release.


The docker scout compare command analyzes two images and displays a comparison.

This command is experimental and its behaviour might change in the future

The intended use of this command is to compare two versions of the same image. For instance, when a new image is built and compared to the version running in production.

If no image is specified, the most recently built image is used as a comparison target.

The following artifact types are supported:

  • Images
  • OCI layout directories
  • Tarball archives, as created by docker save
  • Local directory or file

By default, the tool expects an image reference, such as:

  • redis
  • curlimages/curl:7.87.0

If the artifact you want to analyze is an OCI directory, a tarball archive, a local file or directory, or if you want to control from where the image will be resolved, you must prefix the reference with one of the following:

  • image:// (default) use a local image, or fall back to a registry lookup
  • local:// use an image from the local image store (don't do a registry lookup)
  • registry:// use an image from a registry (don't use a local image)
  • oci-dir:// use an OCI layout directory
  • archive:// use a tarball archive, as created by docker save
  • fs:// use a local directory or file
  • sbom:// SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file


-x, --exit-onComma separated list of conditions to fail the action step if worse, options are: vulnerability, policy
--formattextOutput format of the generated vulnerability report:
- text: default output, plain text with or without colors depending on the terminal
- markdown: Markdown output
--hide-policiesHide policy status from the output
--ignore-baseFilter out CVEs introduced from base image
--ignore-unchangedFilter out unchanged packages
--multi-stageShow packages from multi-stage Docker builds
--only-fixedFilter to fixable CVEs
--only-package-typeComma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
--only-severityComma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
--only-stageComma separated list of multi-stage Docker build stage names
--only-unfixedFilter to unfixed CVEs
--orgNamespace of the Docker organization
-o, --outputWrite the report to a file
--platformPlatform of image to analyze
--refReference to use if the provided tarball contains multiple references.
Can only be used with archive
--toImage, directory, or archive to compare to
--to-envName of environment to compare to
--to-latestLatest image processed to compare to
--to-refReference to use if the provided tarball contains multiple references.
Can only be used with archive.


Compare the most recently built image to the latest tag

$ docker scout compare --to namespace/repo:latest

Compare local build to the same tag from the registry

$ docker scout compare local://namespace/repo:latest --to registry://namespace/repo:latest

Ignore base images

$ docker scout compare --ignore-base --to namespace/repo:latest namespace/repo:v1.2.3-pre

Generate a markdown output

$ docker scout compare --format markdown --to namespace/repo:latest namespace/repo:v1.2.3-pre

Only compare maven packages and only display critical vulnerabilities for maven packages

$ docker scout compare --only-package-type maven --only-severity critical --to namespace/repo:latest namespace/repo:v1.2.3-pre

Show all policy results for both images

docker scout compare --to namespace/repo:latest namespace/repo:v1.2.3-pre