✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.1.2.4 Image Severity Ranking

A focused guide to Image Severity Ranking, connecting core concepts with practical Docker and container operations.

Image severity ranking categorizes a scan's vulnerability findings by their assessed severity — typically critical, high, medium, and low — providing a basis for prioritizing remediation effort toward the findings that actually pose the most meaningful risk first.

How Severity Levels Are Typically Assigned

Each detected vulnerability is assigned a severity level, generally based on standardized scoring criteria reflecting factors like exploitability and potential impact.

docker scout cves myapp:1.0

CRITICAL   1
HIGH       3
MEDIUM     8
LOW        12

This breakdown immediately indicates where remediation effort should be concentrated first, rather than treating every finding as equally urgent.

Why Prioritizing by Severity Is More Practical Than Addressing Everything at Once

A typical scan against a non-trivial image can surface a substantial number of findings, many of low practical concern — prioritizing critical and high-severity findings first makes remediation effort considerably more tractable than attempting to address every single finding immediately.

docker scout cves myapp:1.0 --only-severity critical,high

Filtering to just the most severe findings focuses immediate attention on what matters most.

Setting a Policy Threshold for Acceptable Risk

An organization might establish a policy that blocks deployment for any critical-severity finding, while allowing lower-severity findings to be tracked and addressed on a more relaxed timeline.

docker scout cves myapp:1.0 --exit-code --only-severity critical

A CI pipeline check like this specifically gates on critical findings, reflecting a deliberate policy about which severity level genuinely warrants blocking deployment.

Why Severity Alone Isn't the Only Relevant Factor

A lower-severity finding in a component that's actually exposed to untrusted input might warrant more urgent attention than a higher-severity finding in an unused or unreachable code path — severity ranking is a valuable starting point, not necessarily the final word on actual priority.

Why Image Severity Ranking Matters

Severity ranking provides an essential, practical basis for triaging scan findings, making it possible to focus limited remediation effort where it matters most rather than being overwhelmed by an undifferentiated list of every detected issue.

Related content