Image Vulnerability Scanning

Beginner5 minTrending

Scan Docker images for known security vulnerabilities using Docker Scout before pushing to production.

Prerequisites

-Docker Desktop with Scout, or Trivy installed

Steps

Quick scan with Docker Scout

Run a vulnerability scan on an image using Docker Scout.

$ docker scout cves myapp:latest

Docker Scout is built into Docker Desktop. For CI, you can also use Trivy, Snyk, or Grype.

Scan with Trivy as an alternative

Use Trivy for a comprehensive vulnerability scan if Docker Scout is not available.

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image myapp:latest

Filter results by severity

Show only critical and high severity vulnerabilities.

$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --severity HIGH,CRITICAL myapp:latest

Full Script

full-script.sh

#!/bin/bash
# Image Vulnerability Scanning
set -euo pipefail

IMAGE=${1:?"Usage: $0 <image-name>"}

echo "=== Scanning $IMAGE for vulnerabilities ==="

if command -v docker scout &>/dev/null || docker scout version &>/dev/null 2>&1; then
  echo "Using Docker Scout..."
  docker scout cves "$IMAGE"
else
  echo "Docker Scout not available. Using Trivy..."
  docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --severity HIGH,CRITICAL "$IMAGE"
fi

FAQ

Discussion

Loading comments...

#!/bin/bash # Image Vulnerability Scanning set -euo pipefail IMAGE=${1:?"Usage: $0 <image-name>"} echo "=== Scanning $IMAGE for vulnerabilities ===" if command -v docker scout &>/dev/null || docker scout version &>/dev/null 2>&1; then echo "Using Docker Scout..." docker scout cves "$IMAGE" else echo "Docker Scout not available. Using Trivy..." docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --severity HIGH,CRITICAL "$IMAGE" fi