This post builds on our Docker-Scout . Make sure you’ve installed and configured Docker Scout first.
Note: This blog is the 2nd part of our series on Docker Scout. To navigate directly to a specific section, please refer to the links below:
1st part link: Docker-Scout – Canarys
3rd part link: Evaluate policy compliance& improve compliance of Docker Scout
4th part link: Docker scout Dashboard Navigation & Key Integrations
Enablement and analysis of Docker scout
Note: Before you begin : understand scope of scout
By default, Docker Scout analyzes all locally available images on your machine. But if you want to inspect images in remote repositories, you’ll need to enable Scout on your organization or repository first. Let’s get started with that.
Authenticate: Run docker login to sign in to Docker Hub (or your registry).
Enroll your org: Execute docker scout enroll <ORG_NAME> to enable Scout features for your organization.
Enable the scout on repository: Run docker scout repo enable --org <ORG_NAME> <ORG_NAME>/<REPO> to activate image analysis on that repo.
With these steps complete, Scout can fetch and scan images pushed to the remote repository.
Scanning local and remote repositories
Once enabled, use the same docker scout cves command to scan any image. If you run it without specifying an image, Scout defaults to the most recently built local image. To scan a remote image by tag, simply provide its reference.
For example, after pushing an image as myorg/app:latest, you can run docker scout cves myorg/app:latest to fetch and analyze it.
Note: If you want to scan the entire Docker image for all known vulnerabilities (CVEs) across all packages , simply run: docker scout cves
Note that docker login (from above) ensures Scout has the necessary credentials to pull and index remote images.
Running Vulnerability Scans
To perform a vulnerability scan, use: docker scout cves [IMAGE:TAG]
This command analyzes the image’s software artifacts for known CVEs. By default, it outputs a plain-text report grouped by package. You can add flags to refine the scan (for example, --epss to show EPSS scores or --only-severity critical to list only critical CVEs).
But in its simplest form, running docker scout cves <image:tag> will index the image’s contents and list vulnerabilities.
interpreting scan results
Docker Scout presents the findings grouped by package, showing how many CVEs of each severity affect each component. The output typically looks like a table with columns for Name, Version, and Vulnerabilities (broken out by Critical, High, Medium, Low counts).
Each CVE ID is listed along with its description and severity. Scout marks critical or high issues prominently so you can address them first. If a fix is available, the report (and Docker’s advisory data) will often note the updated version that resolves the flaw. In this way, Scout not only flags vulnerable packages but also guides you to remediate them (for example, suggesting to update Express from 4.17.1 to 4.17.3).
Filtering Scan Results by Package
You can narrow the scan output to specific packages using the --only-package flag. For instance, to see only Express-related issues,
use: docker scout cves --only-package express [IMAGE:TAG]
This filters the results to CVEs affecting packages whose names match the given pattern. In the example above, running docker scout cves --only-package express on the vulnerable image shows just the entries for Express (including CVE-2022-24999). This is useful for focusing on a particular component without wading through the entire report.
Remediating an Express.js Vulnerability
Consider an example Node.js image with express@4.17.1. Running docker scout cves on this image might reveal CVE-2022-24999, a high-severity vulnerability in Express. Scout would report this CVE associated with the express package. The output indicates that Express 4.17.1 is vulnerable and notes that upgrading to version 4.17.3 (or a later fixed release like 4.20.0) fixes the issue.
To remediate, you update package.json to use "express": "4.17.3" and rebuild your image (for example tagging it as myorg/app:v2).
After pushing the new image, run the scan again. The new report should show no high or critical CVEs for Express. confirming the CVE is resolved.
Conclusion: Enablement and Analysis of Docker Scout
This post was a follow-up to our initial setup guide, diving into enabling Docker Scout for your organization and scanning both local and remote images. You now know how to authenticate, enroll your org, enable repositories, and interpret CVE data to identify security issues early.
Next up: Learn how to enforce policies and improve compliance.
Go to Part 3: Evaluate policy compliance& improve compliance of Docker Scout