Share feedback
Answers are generated based on the documentation.

Use the Policies page in the Dashboard

Important

The Policies page is deprecated and will be retired on September 1, 2026. The docker scout policy command replaces this with more options for evaluating policies. You can run evaluations locally, in CI, against custom Rego policies, or using OCI bundles. See Evaluate policies.

View policy status

The Overview tab of the Docker Scout Dashboard displays a summary of recent changes in policy for your repositories. This summary shows images that have seen the most change in their policy evaluation between the most recent image and the previous image.

Policy status per repository

The Images tab shows the current policy status, and recent policy trend, for all images in the selected environment. The Policy status column shows:

  • Number of fulfilled policies versus the total number of policies
  • Recent policy trends

The policy trend, denoted by the directional arrows, indicates whether an image is better, worse, or unchanged compared to the previous image in the same environment.

  • The green arrow pointing upwards shows the number of policies that improved.
  • The red arrow pointing downwards shows the number of policies that worsened.
  • The bidirectional gray arrow shows the number of policies that were unchanged.

Detailed results

To view the full evaluation results for an image, navigate to the image tag in the Docker Scout Dashboard and open the Policy tab.

For vulnerability-related policies, the details view shows the fix version when one is available. For licensing-related policies, the list shows all packages whose license doesn't meet the policy criteria.

Configure policies

Some policy types are configurable. You can create customized versions with your own parameters, disable a policy, or delete it.

Note

Historic evaluation results for the default policy configuration are removed if you delete or customize a policy.

Add a policy

  1. Go to the Policies page in the Docker Scout Dashboard.

  2. Select Add policy.

  3. Locate the policy type you want to configure and select Configure.

    • If Configure is grayed out, the policy has no configurable parameters.
    • If the button reads Integrate, setup is required before the policy can be enabled.
  4. Update the policy parameters.

  5. Select Save policy to enable, or Save and disable to save without enabling.

Edit a policy

  1. Go to the Policies page.
  2. Select the policy and then select Edit.
  3. Update the parameters and save.

Disable a policy

Disabling a policy hides its results but doesn't delete historic data.

  1. Go to the Policies page.
  2. Select the policy and then select Disable.

Delete a policy

Deleting a policy removes its evaluation results.

  1. Go to the Policies page.
  2. Select the policy and then select Delete.

To recreate a deleted policy, follow Add a policy and select Configure on the deleted policy type.

Remediation

Docker Scout provides remediation recommendations based on policy evaluation results. Recommendations are available for the following policy types:

To view recommendations:

  1. Go to the Policies page.
  2. Select a policy.
  3. Hover over an image in the list and select View fixes.

If more than one recommendation is available, the primary recommendation displays as the Recommended fix. Additional recommendations are listed as Quick fixes.

Up-to-Date Base Images

Without provenance attestations, compliance is undeterminable. Add provenance attestations so Docker Scout can detect the base image version you're using.

With provenance attestations, the recommended action shows how to update your base image to the latest version and pin it to a specific digest. See Pin base image versions.

With the GitHub integration enabled, you can raise a pull request directly from the remediation panel to update the base image version in your Dockerfile.

Supply Chain Attestations

The Supply Chain Attestations policy requires SBOM and provenance attestations. The remediation panel shows what's missing. For example, if your image has a provenance attestation without enough information, rebuild with mode=max provenance.

Evaluate policy compliance in CI

Adding policy evaluation to your CI pipelines helps you detect and prevent cases where a change would cause policy compliance to worsen compared to your baseline.

The recommended strategy involves evaluating a local image and comparing the results to a baseline using an environment. If policy compliance for the new image is worse than the baseline, the CI run fails. If compliance is better or unchanged, the run succeeds.

The following GitHub Actions example uses the Docker Scout GitHub Action to compare a pull request image against the production environment. The exit-on input is set to policy, so the step fails only if policy compliance has worsened.

Note

Due to a limitation in Docker Engine, loading multi-platform images or images with attestations to the image store isn't supported. Build a single-platform image without attestations and load it for the policy evaluation to work.

name: Docker

on:
  push:
    tags: ["*"]
    branches:
      - "main"
  pull_request:
    branches: ["**"]

env:
  REGISTRY: docker.io
  IMAGE_NAME: <IMAGE_NAME>
  DOCKER_ORG: <ORG>

jobs:
  build:
    permissions:
      pull-requests: write

    runs-on: ubuntu-latest
    steps:
      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_TOKEN }}

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v4

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v6
        with:
          images: ${{ env.IMAGE_NAME }}

      - name: Build image
        id: build-and-push
        uses: docker/build-push-action@v7
        with:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          sbom: ${{ github.event_name != 'pull_request' }}
          provenance: ${{ github.event_name != 'pull_request' }}
          push: ${{ github.event_name != 'pull_request' }}
          load: ${{ github.event_name == 'pull_request' }}

      - name: Authenticate with Docker
        uses: docker/login-action@v4
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      - name: Compare
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/scout-action@v1
        with:
          command: compare
          image: ${{ steps.meta.outputs.tags }}
          to-env: production
          platform: "linux/amd64"
          ignore-unchanged: true
          only-severities: critical,high
          organization: ${{ env.DOCKER_ORG }}
          exit-on: policy

For other CI platforms, see Docker Scout CI integrations.