11.1.2 Image Vulnerability Scanning

Image vulnerability scanning automatically inspects an image's installed packages against known vulnerability databases, surfacing security issues that should be reviewed and addressed before an image is deployed, an essential complement to choosing trusted sources in the first place.

Running a Scan Against a Local Image

A scanning tool checks an image's packages against current vulnerability data, reporting any known issues found.

docker scout cves myapp:1.0

CRITICAL   1
HIGH       3
MEDIUM     8

This summary reveals the severity breakdown of known vulnerabilities found within the image's installed packages.

Reviewing Specific Findings in Detail

Beyond the summary count, detailed findings reveal exactly which package and version is responsible for each identified vulnerability.

docker scout cves myapp:1.0 --format only-fixed

Filtering to only vulnerabilities with an available fix helps prioritize actionable findings over those without a current remediation path.

Integrating Scanning Into a CI Pipeline

Running a scan automatically as part of every build, with the pipeline configured to fail on sufficiently severe findings, catches vulnerable images before they're ever deployed.

docker scout cves myapp:1.0 --exit-code --only-severity critical,high

This command's exit code reflects whether critical or high-severity vulnerabilities were found, suitable for gating a pipeline's deployment step.

Addressing Findings by Updating Affected Packages

Most findings are resolved by updating the affected package (often by rebuilding against an updated base image) to a version where the vulnerability has been fixed.

FROM node:20-alpine
RUN apk update && apk upgrade

Why Image Vulnerability Scanning Matters

Regular, ideally automated vulnerability scanning is an essential practice for catching known security issues before deployment, providing concrete, actionable findings that complement the more general practice of choosing trusted image sources in the first place.