Docker Scout quickstart
Early Access
Docker Scout secures the complete software supply chain by providing image analysis, real-time vulnerability identification, contextual remediation recommendations, and more. Now available in early access.
Learn more on the Docker Scout product pageopen_in_new.
Docker Scout analyzes image contents and generates a detailed report of packages and vulnerabilities that it detects. It can provide you with suggestions for how to remediate issues discovered by image analysis.
This guide takes a vulnerable container image and shows you how to use Docker Scout to identify and fix the vulnerabilities, compare image versions over time, and share the results with your team.
The following video shows an end-to-end workflow of using Docker Scout to remediate a reported vulnerability.
Step 1: Setup
This example projectopen_in_new contains a vulnerable Node.js application that you can use to follow along.
Clone its repository:
$ git clone https://github.com/docker/scout-demo-service.git
Move into the directory:
$ cd scout-demo-service
Build the image, naming it to match the organization you will push it to, and tag it as "v1":
$ docker build -t <org-name>/scout-demo:v1 .
Create and push the repository on Docker Hub:
$ docker push <org-name>/scout-demo:v1
Important
Make sure you log in to the Docker CLI or Docker Desktop before pushing.
Step 2: Enable Docker Scout
Docker Scout analyzes all local images by default. To analyze images in remote repositories, you need to enable it first. You can do this from Docker Hub, the Docker Scout Dashboard, and CLI. Find out how in the overview guide.
Sign in to your Docker account with the
docker login
command or use the Sign in button in Docker Desktop.Use the Docker CLI
docker scout repo enable
command to enable analysis on an existing repository:$ docker scout repo enable --org <org-name> <org-name>/scout-demo
Step 3: Analyze image vulnerabilities
After building, you can use Docker Desktop or the docker scout
CLI command
to see vulnerabilities detected by Docker Scout.
Using Docker Desktop, select the image name in the Images view to see the image layer view. In the image hierarchy section, you can see which layers introduce vulnerabilities and the details of those.
Select layer 5 to focus on the vulnerability introduced in that layer.
Toggle the disclosure triangle next to express 4.17.1 and then the CVE ID (in this case, "CVE-2022-24999") to see details of the vulnerability.
You can also use the Docker CLI to see the same results.
$ docker scout cves <org-name>/scout-demo:v1


Docker Scout creates and maintains its vulnerability database by ingesting and collating vulnerability data from multiple sources continuously. These sources include many recognizable package repositories and trusted security trackers. You can find more details in the advisory database documentation.
Tip
Find out how to filter results using the CLI command
scout cves
.
Step 4: Fix application vulnerabilities
The fix suggested by Docker Scout is to update the underlying vulnerable express version to 4.17.3 or later.
Update the
package.json
file with the new package version.… "dependencies": { "express": "4.17.3" … }
Rebuild the image, giving it a new version tag:
$ docker build -t <org-name>/scout-demo:v2 .
Push the image to the same repository on Docker Hub using a new version tag:
$ docker push <org-name>/scout-demo:v2
Now, viewing the latest tag of the image in Docker Desktop, the Docker Scout Dashboard, or CLI, you can see that you have fixed the vulnerability.
Step 5: Fix vulnerabilities in base images
In addition to identifying application vulnerabilities, Docker Scout also helps you identify and fix issues with the base images your images use.
On the Docker Scout Dashboard, you can see these suggestions by selecting the Recommended fixes button in the image layer view.
Select the Recommendations for base image option from the button. In the dialog that appears, select the Change base image tab, the new version of the base image you want to use, and copy the suggestion into your
Dockerfile
.Rebuild the image, again with a new tag:
$ docker build -t <org-name>/scout-demo:v3 .
Push it to Docker Hub using the new version tag:
$ docker push <org-name>/scout-demo:v3
Select the new image tag in Docker Desktop or the Docker Scout Dashboard and you can see that the base image has been updated, removing many vulnerabilities.
You can see the same using the Docker CLI command:
$ docker scout cves <org-name>/scout-demo:v3
Step 6: Collaborate on vulnerabilities
You can see and share the same vulnerability information about an image and the other images in your organization in the Docker Scout Dashboard.
All organization members can see an overview of all their images from integrated container registries, and get remediation advice at their fingertips. This helps team members in security, compliance, and operations to know what vulnerabilities and issues to focus on.
- Select the Images tab on the Docker Scout Dashboardopen_in_new.
- Select any of the tags under the Most Recent Image column, and you can see the same vulnerability information as you saw in Docker Desktop and the Docker CLI and share this link with anyone else in your organization.
Tip
If you are a member of multiple organizations, make sure you select the correct organization from the drop-down in the top right.
![]()
Step 7: Compare images
Over time as you build and push new tags of images, you can use the Docker Scout CLI and Dashboard to compare the changes to vulnerabilities and packages in different tags of the same image.
On the Docker Scout Dashboard, select the repository to compare from the Images list. In this case, scout-demo.
Choose two of the tags you pushed in the last steps, for example, v1 and v3, and then select Compare images.
The Image comparison view shows you the differences between the two tags. The page's top part summarizes the two tags, including the differences between vulnerabilities and base image tags.
In the bottom part of the page, you can see the changes in packages and vulnerabilities between the two tags. In the row for "express", you can see the version change from 4.17.1 to 4.17.3. Switch to the Vulnerabilities tab to see the changes in vulnerabilities between the two tags. You can see that "CVE-2022-24999" isn't present under the v3 tag.
You can also use the
scout compare
CLI command to see the same results.$ docker scout compare --to <org-name>/scout-demo:v1 <org-name>/scout-demo:v3
What's next?
- Explore the Docker Scout Dashboard to see how you can collaborate with your team on vulnerabilities.
- Learn how to integrate Docker Scout with other systems.
- Find out where Docker Scout gets its vulnerability data.