5.2 KiB
| title | keywords | description | redirect_from | |||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Docker Scout | scout, supply chain, vulnerabilities, packages, cves, scan, analysis, analyze | Docker Scout analyzes your images to help you understand their dependencies and potential vulnerabilities |
|
{% include scout-early-access.md %}
Container images are often built from layers of other container images and software packages. These layers and packages can contain vulnerabilities that make your containers and the applications they run vulnerable to attack.
Docker Scout can proactively help you find and fix these vulnerabilities, helping you create a more secure software supply chain. It does this by analyzing your images and creating a full inventory of the packages and layers called a Software bill of materials (SBOM). It then correlates this inventory with a continuously updated vulnerability database to identify vulnerabilities in your images.
You can use Docker Scout in Docker Desktop, Docker Hub, the Docker CLI, and in the Docker Scout Dashboard. Docker Scout also supports integrations with third-party systems, refer to Integrating Docker Scout for more information.
{% include scout-plans.md %}
Quickstart
The following video shows an end-to-end workflow of using Docker Scout to remediate a reported vulnerability.
Quickstart with Docker Scout
For a self-guided quickstart that shows you how to use Docker Scout to identify and remediate vulnerabilities in your images, read the quickstart. {: .tip }
Enabling Docker Scout
The following video shows how to enable Docker Scout on your repositories.
Docker Desktop
Note
There is a 3 GB size limit on images analyzed by Docker Scout in Docker Desktop.
Docker Scout analyzes all images stored locally in Docker Desktop, providing you with up-to-date vulnerability information as you build your images.
For more information, read the Advanced image analysis guide.
Docker Hub
If you enable Advanced image analysis for a repository in Docker Hub, Docker Scout analyzes your images every time you push them to Docker Hub. Docker Scout shows analysis results on every tag view for that repository.
The analysis updates continuously, meaning that the vulnerability report for an image is always up to date as Docker Scout becomes aware of new CVEs. No need to re-analyze an image.
For more information, read the Advanced image analysis guide.
Docker Scout CLI plugin
The docker scout CLI plugin provides a terminal interface for using Docker
Scout with local and remote images.
Using the CLI, you can analyze images and view the analysis report in text format. You can print the results directly to stdout, or export them to a file using a structured format, such as Static Analysis Results Interchange Format (SARIF).
For more information about how to use the docker scout CLI, see the
reference documentation.
The plugin is available in Docker Desktop starting with version 4.17 and available as a standalone binary.
To install the plugin, run the following command:
$ curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
$ sh install-scout.sh
Note
Always examine scripts downloaded from the internet before running them locally. Before installing, make yourself familiar with potential risks and limitations of the convenience script.
If you want to install the plugin manually, you can find full instructions in the plugin's repository.
The plugin is also available as a container image and as a GitHub action.
Docker Scout Dashboard
The Docker Scout Dashboard{: target="_blank" rel="noopener" } helps you share the analysis and security status of images in an organization with your team. You can also use the dashboard settings to enable Docker Scout on multiple images from Docker Hub at once.
For more information, read the Docker Scout Dashboard guide.