Docker Scout 2026: Docker's Built-In Container Security Scanner

Name: Docker Scout
Availability: OnlineOnly

Docker Scout is Docker’s built-in security analysis tool for container images. It scans images for vulnerabilities, generates SBOMs, and suggests fixes. It works inside Docker Desktop, Docker Hub, and the Docker CLI with no extra setup.

Scout builds an inventory of every package and dependency inside a container image (the Software Bill of Materials), then matches those components against a vulnerability database that pulls from 23 advisory sources.

How does Docker Scout scan images?

Docker Scout scans container images by decomposing image layers, identifying OS packages and application dependencies, and matching them against 23 advisory database sources. Results include CVE IDs, severity scores (CVSS v4 when available), affected versions, and remediation steps. The scanning happens automatically when you push an image to Docker Hub, or on-demand through the CLI and Docker Desktop.

Most scanners rely on broad CPE (Common Product Enumeration) matching, which produces false positives when package names overlap. Scout uses Package URLs (PURLs) instead, which ties vulnerabilities to specific packages more precisely. In practice, this means fewer false positives compared to CPE-based scanners.

Vulnerability Detection

Scans container image layers and dependencies against 23 advisory sources including NVD, GitHub Advisory Database, CISA KEV catalog, and distribution-specific security trackers.

SBOM Generation

Produces Software Bill of Materials in CycloneDX and SPDX formats for compliance, audit, and supply chain visibility purposes.

Policy Evaluation

Defines and enforces security policies across images. Evaluate compliance before deployment and track policy violations across your image portfolio.

What are Docker Scout’s key features?

Feature	Details
Advisory sources	23 databases including NVD, GitHub, GitLab, CISA KEV, EPSS, and distribution trackers
SBOM formats	CycloneDX, SPDX
Severity scoring	CVSS v4 preferred, falls back to v3, vendor scores prioritized over NIST
Matching method	Package URL (PURL) matching instead of broad CPE matching
VEX support	Vulnerability Exploitability eXchange for suppressing non-applicable findings
Integration points	Docker Desktop, Docker Hub, Docker CLI, CI/CD platforms, third-party registries
Free tier	1 repo with continuous analysis (Docker Personal)

Docker Desktop integration

Scout is built into Docker Desktop. Pull or build an image, and vulnerability information shows up in the Desktop UI without any extra setup. CVEs, affected packages, and remediation suggestions are right there in the same interface you use for container management.

Policy evaluation

The policy evaluation engine lets security teams set standards that images must meet before deployment. You can check for severity thresholds, required base image versions, outdated packages, and compliance with organizational baselines. Policy results plug into CI/CD pipelines to gate deployments.

VEX support

Scout supports VEX (Vulnerability Exploitability eXchange) statements. When a CVE exists in a package but is not exploitable in your specific context, you attach a VEX statement to suppress it from results. This keeps the noise down so your team focuses on vulnerabilities that actually matter.

CLI scanning

The docker scout CLI commands work with any locally available image:

# Quick vulnerability overview
docker scout quickview myapp:latest

# Detailed CVE listing
docker scout cves myapp:latest

# Compare two image versions
docker scout compare myapp:latest --to myapp:previous

# Generate SBOM
docker scout sbom myapp:latest --format spdx-json > sbom.json

Who should use Docker Scout?

Docker Scout is best suited for teams already working within the Docker ecosystem. If your workflow runs through Docker Desktop, Docker Hub, and Docker CLI, Scout adds vulnerability scanning without bringing in another tool or vendor. It requires zero additional installation or configuration for Docker Desktop users.

The free tier (Docker Personal) provides continuous vulnerability analysis for 1 repository, making it accessible for individual developers. Docker Pro includes 2 Scout-enabled repos. Larger organizations on Docker Team or Business plans get unlimited Scout-enabled repositories for continuous monitoring across all their images.

What are Docker Scout’s limitations?

Scout only does container image analysis. It does not scan IaC files, Kubernetes clusters, source code, or running workloads. If you need broader coverage, pair it with Trivy (IaC and Kubernetes), Falco (runtime), or Kubescape (Kubernetes posture).

Scout is cloud-backed, meaning image analysis data goes through Docker’s infrastructure. If you have strict data residency requirements, check whether that works for your compliance posture.

Scanning depth depends on Docker’s advisory database. The 23 sources provide solid coverage, but matching is only as good as the SBOM extraction from image layers. Heavily customized or distroless images may have gaps in package identification.

For other container security options, browse our container security tools category.

Frequently Asked Questions

What is Docker Scout?

Docker Scout is Docker’s built-in security analysis tool that scans container images for known vulnerabilities. It generates a Software Bill of Materials (SBOM) from image layers and cross-references packages against 23 advisory database sources including the National Vulnerability Database, GitHub Advisory Database, and Linux distribution security trackers. Docker Scout is integrated into Docker Desktop, Docker Hub, and the Docker CLI.

Is Docker Scout free?

Docker Scout has a free tier included with Docker Personal accounts, providing continuous vulnerability analysis for 1 repository. Docker Pro includes 2 Scout-enabled repos. Docker Team and Business plans offer unlimited Scout-enabled repositories. All Docker users can run on-demand scans via the CLI regardless of plan.

How does Docker Scout differ from Trivy and Grype?

Docker Scout is a proprietary, cloud-backed service integrated into the Docker ecosystem (Desktop, Hub, CLI). It uses 23 advisory sources with PURL-based matching and includes a policy evaluation engine and VEX support. Trivy and Grype are open-source CLI tools that run entirely locally. Trivy scans more target types (IaC, Kubernetes clusters, filesystems) beyond container images. Grype focuses specifically on container and filesystem vulnerability scanning with SBOM input support.

What vulnerability databases does Docker Scout use?

Docker Scout aggregates data from 23 sources: NVD, GitHub Advisory Database, GitLab Advisory Database, Golang VulnDB, RustSec Advisory Database, Python Packaging Advisory Database, CISA Known Exploited Vulnerabilities catalog, EPSS (Exploit Prediction Scoring System), and distribution-specific trackers for Alpine, Debian, Ubuntu, Red Hat, Amazon Linux, Oracle Linux, SUSE, AlmaLinux, Rocky Linux, Photon OS, Wolfi, Chainguard, and Bitnami. It also includes inTheWild, a community-driven exploitation database.

Can Docker Scout scan images from registries other than Docker Hub?

Yes. Docker Scout supports third-party container registries and CI platforms in addition to Docker Hub. You can integrate Scout with other registries and run scans through the Docker CLI against any locally available or remotely accessible container image, regardless of where it is hosted.

Docker Scout