✦ For everyone, free.

Practical knowledge for real and everyday life

Home

13.1.1.4 Pipeline Image Scan

A focused guide to Pipeline Image Scan, connecting core concepts with practical Docker and container operations.

Pipeline image scan automatically checks a newly built image for known vulnerabilities as part of the CI pipeline, gating subsequent steps like publishing or deployment on the scan's results, catching security issues before a vulnerable image ever reaches a registry or production.

Adding a Scan Step to the Pipeline

A scanning step runs immediately after the build, before any subsequent push or deployment step.

jobs:
  build:
    steps:
      - run: docker build -t myapp:${{ github.sha }} .
      - run: docker scout cves myapp:${{ github.sha }} --exit-code --only-severity critical,high
      - run: docker push myapp:${{ github.sha }}

The scan step's exit code determines whether the pipeline continues — a critical or high-severity finding here halts the pipeline before the push step ever runs.

Why Gating on Scan Results Prevents Vulnerable Images From Being Published

Without this gate, a vulnerable image could be pushed and potentially deployed before its vulnerabilities are ever noticed — placing the scan before the push step ensures this category of issue is caught at the earliest practical point.

- run: docker scout cves myapp:${{ github.sha }} --exit-code --only-severity critical

A pipeline configured this way never publishes an image with an unaddressed critical vulnerability.

Balancing Strictness Against Pipeline Friction

Setting an appropriately calibrated severity threshold — blocking only on genuinely severe findings, rather than every single low-severity one — avoids the pipeline becoming so strict it's routinely blocked by findings that don't represent meaningful, urgent risk.

docker scout cves myapp:1.0 --only-severity critical,high
Reviewing and Tracking Findings That Don't Block the Pipeline

Lower-severity findings, while not blocking, should still be reviewed and tracked rather than entirely ignored, ensuring they're eventually addressed on a more relaxed timeline.

docker scout cves myapp:1.0 --format json > scan-results.json
Why Pipeline Image Scan Matters

Integrating vulnerability scanning directly into the CI pipeline, with an appropriately calibrated severity gate, is an essential practice for catching security issues automatically and consistently, before they have any opportunity to reach a published registry or production deployment.

Related content