Introduction

Docker Scout is an open-source tool that helps you optimize your Docker images and containers. It does this by:

• Analyzing your Docker images and containers for issues and inefficiencies

• Providing recommendations on how to improve and optimize them

• Generating reports on image size, layer size, installed packages, and more

Docker Scout is a useful tool to check the health of your Docker images and containers, find issues, and get recommendations on how to optimize and improve them. It can help make your Docker deployments more efficient and secure. Docker Scout is an open-source project maintained by Snyk, the cloud-native security and vulnerability management company.

How to use Docker Scout?

1. Using Docker Desktop: You can use Docker Desktop to make use of Docker Scout to scan your images for vulnerabilities. You just need to open Docker Desktop on your PC and search for an image you would like to scan, let's say busybox.

   

   Pull the latest official image of the busybox and wait until the image is downloaded. After the download is completed, click on "Docker Scout" on the left pane of the window select the image you want to scan, and click on "Analyze Image". The problems with the image if present will be displayed and you can work accordingly.

   

   

2. Using CLI: The Docker Scout CLI allows you to analyze your images for vulnerabilities from the command line. You can install it as a plugin for Docker Desktop or manually.

There are a few ways to install the Docker Scout CLI:

Manual Installation

You can also install it manually:

• Download the docker-scout binary for your platform from the releases.

• Uncompress the binary and move it to the scout directory:

  • $HOME/.docker/scout on Linux and macOS

  • %USERPROFILE%\.docker\scout on Windows

• Make it executable on Linux/macOS

• Add the scout directory to your .docker/config.json as a plugin directory

• Add the cliPluginsExtraDirs property to config.json:

{
  "cliPluginsExtraDirs": [
    "<full path to .docker/scout folder>"
  ]
}

Script Installation

You can also run the install script:

curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --

Running an Analysis

Once installed, you can run an analysis with:

docker scout cves <image> [--only-severity <critical|high|medium|low>]

This will scan the given image and report any vulnerabilities found, filtering by severity if specified.

You can also fail the build if critical or high-severity vulnerabilities are found using the --exit-code flag:

docker scout cves <image> --exit-code --only-severity critical,high

Conclusion

Docker Scout helps you:

• Reveal the full composition of your container images

• Dig into details of the packages and layers that make up your images

• Identify vulnerabilities and security risks in the dependencies used in your images

• Stay up to date with the latest vulnerability advisories from the advisory database

• Integrate Docker Scout with your CI/CD pipelines, registries, and other tools

• Ensure your container images align with supply chain best practices (with Policy Early Access)

• Upgrade to a paid plan for support of more repositories

The Docker Desktop 4.25 release includes some enhancements for Docker Scout users:

• A new setting to easily enable or disable Scout SBOM indexing for local images

• Administrators can define organizational settings to control Scout access for their developers

In summary, Docker Scout is a useful tool to gain visibility into the security of your container images and proactively fix issues to create more secure software supply chains. The integration with Docker Desktop makes it easy to get started analyzing your local development images.