Docker Scout and Supply Chain Security: From Build to Production
Docker Scout is Docker's built-in supply chain security platform — CVEs, policy governance, SBOM with CycloneDX/SPDX, SLSA provenance, auto-fix PRs, and GitHub Actions/GitLab CI integration for image analysis from build to production..
20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.
- ✓Production DevOps experience
- ✓Deep understanding of the tool's internals
- ✓Experience debugging distributed systems
Docker Scout is a supply chain security platform from Docker that analyzes container images for vulnerabilities, generates SBOMs (CycloneDX/SPDX), enforces custom policies, and can auto-create GitHub PRs to fix vulnerable dependencies. It integrates natively with docker scout CLI commands, Docker Desktop, Docker Hub, GitHub Actions, and GitLab CI. It supports SLSA provenance attestations and can gate deployments based on policy compliance. Pricing: included with Docker Pro/Team/Business subscriptions, with additional features at higher tiers.
Imagine every Docker image is like a shipping container full of packages. Docker Scout is the customs inspector who opens the container, lists every single item inside (that's the SBOM), checks each item against a database of known defective or dangerous items (the CVE database), and gives you a report: 'This container has 3 high-risk packages, one of which has a known fix available.' If your company policy says 'no high-risk items allowed', Docker Scout stops the container at the door. It can even automatically order replacement parts (auto-fix PRs) for the broken items.
The SolarWinds attack of 2020 and the log4j crisis of 2021 taught the industry a painful lesson: you cannot secure what you cannot see. Most teams had no idea log4j was in their images until scanners found it — and even then, mapping which images needed patching across hundreds of microservices took weeks. Supply chain security isn't just about scanning at build time; it's about knowing what's in every running container, every hour, and having the policy infrastructure to block a compromise before it reaches production.
Docker Scout was launched as Docker's answer to this gap. Rather than being yet another standalone scanner, it's a platform that embeds security into the existing Docker workflow. You already run docker build and docker push — Docker Scout hooks into those commands to analyze images as they're built, store the SBOM alongside the image in the registry, and continuously evaluate against fresh CVE data. When a new CVE is published that affects a package in your image, Docker Scout alerts you — even if the image was built six months ago.
The result is a shift from reactive scanning ('we scan before deployment') to continuous governance ('every image is evaluated on every push, and policy violations block deployment'). This article covers how to set up Docker Scout, interpret its output, write policy files, integrate with GitHub Actions and GitLab CI, generate and export SBOMs, and compare it against other tools like Trivy and Grype so you can decide where it fits in your security stack.
Setting Up Docker Scout and Running Your First Scan
Docker Scout is included with Docker Desktop (enabled by default) and available as a CLI plugin for Docker Engine. To verify it's installed: docker scout version. If not installed, you can add it via docker scout install or download the plugin from the Docker Hub marketplace. You need a Docker Pro/Team/Business subscription for full functionality — the free tier includes basic CVE scanning but lacks policy enforcement and auto-fix PRs.
The first step is enrolling your image or repository: docker scout enroll <image> registers it with Scout's analysis engine. Once enrolled, Scout builds an SBOM and runs vulnerability analysis. You can see the results with docker scout quickview <image> (summary) or docker scout cves <image> (detailed CVE list).
The output shows CVEs grouped by severity (critical, high, medium, low), with columns for package name, installed version, fixed version (if available), and a CVE ID linking to the advisory.
Policy-Based Governance: Blocking Vulnerable Images in CI
The real power of Docker Scout isn't CVE scanning — it's policy-based governance. You define a policy file (.scout-policy.yaml) that specifies rules like 'no critical CVEs', 'must use approved base images', or 'must have SLSA provenance attestations'. When the policy is evaluated during CI, Scout checks the image against every rule and returns a pass/fail result.
A policy file uses a simple YAML syntax. Each rule has a name, a type (severity, base_image, provenance), and parameters. Rules can be combined with AND logic. The block_on directive determines when a violation prevents deployment: push blocks the image from being pushed to the registry, while warn only logs a warning.
Policies are version-controlled and stored alongside your application code. This means security rules evolve with your application.
docker scout policy. Ensure the policy file is checked into your repository and accessible during CI. Server-side policy evaluation is also available for Docker Business customers.Generating and Exporting SBOMs (CycloneDX and SPDX)
A Software Bill of Materials (SBOM) is the foundation of supply chain security. Docker Scout generates SBOMs in two industry-standard formats: CycloneDX (OWASP's format, preferred for most use cases) and SPDX (ISO standard, required for some regulatory compliance). The SBOM lists every OS package, language dependency (npm, pip, go, maven, nuget), and binary component in the image, along with version information and licenses.
To generate an SBOM: docker scout sbom --format cyclonedx <image> > sbom.json. The output is a standardized JSON document that can be consumed by other tools, uploaded to S3, or attached to a release. Docker Scout also stores the SBOM alongside the image in the registry.
For CI/CD integration, generate the SBOM as a build artifact and store it in your artifact repository alongside the image. This gives auditors a complete history of what was in every image at every point in time.
- CycloneDX is the preferred format for most teams — tooling support is strongest
- SPDX is required for some regulatory frameworks (FDA, EU Cyber Resilience Act)
- Generate SBOM at build time, not retroactively
- Store SBOMs as CI artifacts alongside container images
Docker Scout vs Trivy vs Grype: Which Scanner to Use When
Docker Scout, Trivy, and Grype are all capable container scanners, but they serve different niches. Docker Scout is the only one that integrates natively with the Docker ecosystem — it scans images as part of docker build, stores SBOMs in the registry, and provides policy-based governance. Trivy is the most comprehensive standalone scanner — it scans not just containers but also filesystems, Git repos, Kubernetes clusters, and IaC templates. Grype is a lightweight, fast scanner focused specifically on container vulnerability scanning, often paired with Syft for SBOM generation.
Pricing: Docker Scout is included with Docker Pro ($5/month), Team ($9/month), and Business ($21/month) subscriptions. Trivy is free and open-source (Apache 2.0). Grype is free and open-source (Apache 2.0). All three can be run in CI pipelines.
CI/CD Integration: GitHub Actions and GitLab CI
Docker Scout integrates natively with both GitHub Actions and GitLab CI. For GitHub Actions, use the docker/scout-action action. It supports analyzing images, evaluating policies, and outputting results as SARIF for GitHub's security tab. For GitLab CI, use the docker/scout-gitlab-ci template or the docker scout CLI directly.
The recommended flow is: build image → run Scout analysis → evaluate policy → push to registry. If policy evaluation fails, the pipeline stops before the push.
github/codeql-action/upload-sarif@v3.node:22-slim base image had a critical libuv CVE. Scout blocked the build, preventing the vulnerable image from reaching 50 production pods.Critical CVE in Base Image Silently Deployed to 200 Pods — Docker Scout Would Have Caught It
node:18) that had been silently updated by the Docker Hub maintainer to include a new layer with a vulnerable libuv version.node:18) was sufficient. Nobody expected a floating tag within a major version to introduce new CVEs silently. They also believed their weekly scan cadence was fast enough.node:18 was floating. The Dockerfile used FROM node:18 without a digest pin. The publisher pushed a new update that changed the underlying layers without changing the tag. The team's weekly scan ran on Saturday — the vulnerability was introduced on Tuesday. That's 4 days of blast exposure multiplied by 200 pods.FROM statements to pin exact digests using FROM node:18@sha256:abc123....
2. Enabled Docker Scout with continuous monitoring on all images in Docker Hub.
3. Set a policy: deny: cvss >= 7.0 with block_on: push.
4. Added docker scout cves to CI as a mandatory step before docker push.
5. Implemented automated Slack alerts via Docker Scout webhooks when new CVEs are detected in existing images.
6. Ran a one-time docker scout recommendations on all images to identify base image upgrades.- Floating base image tags are a security risk — pin digests to ensure reproducible builds and known CVE baselines.
- Point-in-time scanning is insufficient. Continuous monitoring catches CVEs introduced after deployment.
- Policy-based blocking prevents non-compliant images from ever reaching production during CI.
- Docker Scout's SBOM persistence across image lifecycles enables post-deployment CVE detection.
docker scout sbom <image> to verify. If no SBOM exists, Scout cannot analyze it. Re-pull the image and run docker scout enroll to onboard the image into Scout's analysis pipeline.docker scout policy <image> locally to see the full policy evaluation output. Check which specific policy rule was violated and the CVSS threshold configured. The policy file may be too strict or have unapproved base images listed.docker scout enroll --org <org> org setup and the repository to be linked in Docker Hub.docker scout sbom --format cyclonedx <image> to force a different analysis mode.docker scout recommendations <image> to get base image upgrade suggestions. The mitigation may be to remove the affected package or switch to a different base image version.| File | Command / Code | Purpose |
|---|---|---|
| docker-scout-first-scan.sh | docker scout version | Setting Up Docker Scout and Running Your First Scan |
| .scout-policy.yaml | version: v1 | Policy-Based Governance |
| sbom-generation-ci.sh | docker scout sbom --format cyclonedx myapp:latest > sbom-cyclonedx.json | Generating and Exporting SBOMs (CycloneDX and SPDX) |
| docker-scout-vs-trivy-vs-grype.sh | docker scout cves myapp:latest | Docker Scout vs Trivy vs Grype |
| .github | name: Docker Scout CI | CI/CD Integration |
Key takeaways
Common mistakes to avoid
4 patternsNot enrolling images after pushing to the registry.
Using floating base image tags without digest pins.
Setting overly strict policies that block all CVEs including low-severity ones.
Generating SBOMs after deployment rather than at build time.
Interview Questions on This Topic
How does Docker Scout differ from traditional CVE scanners like Trivy or Grype?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Notes here come from systems that actually shipped.
That's Docker. Mark it forged?
3 min read · try the examples if you haven't