Docker Scout CLI release notes
This page contains information about the new features, improvements, known
issues, and bug fixes in the Docker Scout CLI plugin
and the docker/scout-action GitHub Action.
1.18.4
2025-10-02Bug fixes
- VEX and SPDX fixes.
1.18.3
2025-08-13New
- Add
docker scout vex getcommand to retrieve a merged VEX document from all VEX attestations.
Bug fixes
- Minor fixes for Docker Hardened Images (DHI).
1.18.2
2025-07-21New
- Add
--skip-tlogflag todocker scout attest getto skip signature verification against the transparency log.
Enhancements
- Add predicate type human-readable names for DHI FIPS and STIG attestations.
Bug fixes
- Do not filter CVEs that are marked with a VEX
under_investigationstatement. - Minor fixes for Docker Hardened Images (DHI).
1.18.1
2025-05-26Bug fixes
- Fix issues with
docker scout attest listanddocker scout attest getfor local images.
1.18.0
2025-05-13New
- Add
docker scout attest listanddocker scout attest getcommands to list attestations. - Add support for Docker Hardened Images (DHI) VEX documents.
1.16.1
2024-12-13Bug fixes
- Fix in-toto subject digest for the
docker scout attestation addcommand.
1.16.0
2024-12-12New
- Add secret scanning to the
docker scout sbomcommand. - Add support for attestations for images from Tanzu Application Catalog.
Enhancements
- Normalize licenses using the SPDX license list.
- Make licenses unique.
- Print platform in markdown output.
- Keep original pattern to find nested matches.
- Updates to make SPDX output spec-compliant.
- Update Go, crypto module, and Alpine dependencies.
Bug fixes
- Fix behavior with multiple images in the
docker scout attestcommand. - Check directory existence before creating temporary file.
1.15.0
2024-10-31New
- New
--format=cyclonedxflag for thedocker scout sbomto output the SBOM in CycloneDX format.
Enhancements
- Use high-to-low sort order for CVE summary.
- Support for enabling and disabling repositories that enabled by
docker scout pushordocker scout watch.
Bug fixes
- Improve messaging when analyzing
ocidirectories without attestations. Only single-platform images and multi-platform image with attestations are supported. Multi-platform images without attestations are not supported. - Improve classifiers and SBOM indexer:
- Add classifier for Liquibase
lpm. - Add Rakudo Star/MoarVM binary classifier.
- Add binary classifiers for silverpeas utilities.
- Add classifier for Liquibase
- Improve reading and caching of attestations with the containerd image store.
1.14.0
2024-09-24New
- Add suppression information at the CVE level in the
docker scout cvescommand.
Bug fixes
- Fix listing CVEs for dangling images, for example:
local://sha256:... - Fix panic when analysing a file system input, for instance with
docker scout cves fs://.
1.13.0
2024-08-05New
- Add
--only-policyfilter option to thedocker scout quickview,docker scout policyanddocker scout comparecommands. - Add
--ignore-suppressedfilter option todocker scout cvesanddocker scout quickviewcommands to filter out CVEs affected by exceptions.
Bug fixes and enhancements
Use conditional policy name in checks.
Add support for detecting the version of a Go project set using linker flags, for example:
$ go build -ldflags "-X main.Version=1.2.3"
1.12.0
2024-07-31New
Only display vulnerabilities from the base image:
CLI$ docker scout cves --only-base IMAGEGitHub Actionuses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-base: trueAccount for VEX in
quickviewcommand.CLI$ docker scout quickview IMAGE --only-vex-affected --vex-location ./path/to/my.vex.jsonGitHub Actionuses: docker/scout-action@v1 with: command: quickview image: [IMAGE] only-vex-affected: true vex-location: ./path/to/my.vex.jsonAccount for VEX in
cvescommand (GitHub Actions).GitHub Actionuses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-vex-affected: true vex-location: ./path/to/my.vex.json
Bug fixes and enhancements
- Update
github.com/docker/dockertov26.1.5+incompatibleto fix CVE-2024-41110. - Update Syft to 1.10.0.
1.11.0
2024-07-25New
Filter CVEs listed in the CISA Known Exploited Vulnerabilities catalog.
CLI$ docker scout cves [IMAGE] --only-cisa-kev ... (cropped output) ... ## Packages and Vulnerabilities 0C 1H 0M 0L io.netty/netty-codec-http2 4.1.97.Final pkg:maven/io.netty/netty-codec-http2@4.1.97.Final ✗ HIGH CVE-2023-44487 CISA KEV [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] https://scout.docker.com/v/CVE-2023-44487 Affected range : <4.1.100 Fixed version : 4.1.100.Final CVSS Score : 7.5 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ... (cropped output) ...GitHub Actionuses: docker/scout-action@v1 with: command: cves image: [IMAGE] only-cisa-kev: trueAdd new classifiers:
spipedswifteclipse-mosquittoznc
Bug fixes and enhancements
- Allow VEX matching when no subcomponents.
- Fix panic when attaching an invalid VEX document.
- Fix SPDX document root.
- Fix base image detection when image uses SCRATCH as the base image.
1.10.0
2024-06-26Bug fixes and enhancements
Add new classifiers:
irssiBackdropCrateDB CLI (Crash)monicaOpenlibertydumb-initfriendicaredmine
Fix whitespace-only originator on package breaking BuildKit exporters
Fix parsing image references in SPDX statement for images with a digest
Support
sbom://prefix for image comparison:CLI$ docker scout compare sbom://image1.json --to sbom://image2.jsonGitHub Actionuses: docker/scout-action@v1 with: command: compare image: sbom://image1.json to: sbom://image2.json
1.9.3
2024-05-28Bug fix
- Fix a panic while retrieving cached SBOMs.
1.9.1
2024-05-27New
Add support for the GitLab container scanning file format with
--format gitlabondocker scout cvescommand.Here is an example pipeline:
docker-build: # Use the official docker image. image: docker:cli stage: build services: - docker:dind variables: DOCKER_IMAGE_NAME: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY # Install curl and the Docker Scout CLI - | apk add --update curl curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- apk del curl rm -rf /var/cache/apk/* # Login to Docker Hub required for Docker Scout CLI - echo "$DOCKER_HUB_PAT" | docker login --username "$DOCKER_HUB_USER" --password-stdin # All branches are tagged with $DOCKER_IMAGE_NAME (defaults to commit ref slug) # Default branch is also tagged with `latest` script: - docker buildx b --pull -t "$DOCKER_IMAGE_NAME" . - docker scout cves "$DOCKER_IMAGE_NAME" --format gitlab --output gl-container-scanning-report.json - docker push "$DOCKER_IMAGE_NAME" - | if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then docker tag "$DOCKER_IMAGE_NAME" "$CI_REGISTRY_IMAGE:latest" docker push "$CI_REGISTRY_IMAGE:latest" fi # Run this job in a branch where a Dockerfile exists rules: - if: $CI_COMMIT_BRANCH exists: - Dockerfile artifacts: reports: container_scanning: gl-container-scanning-report.json
Bug fixes and enhancements
- Support single-architecture images for
docker scout attest addcommand - Indicate on the
docker scout quickviewanddocker scout recommendationscommands if image provenance was not created usingmode=max. Withoutmode=max, base images may be incorrectly detected, resulting in less accurate results.
1.9.0
2024-05-24Discarded in favor of 1.9.1.
1.8.0
2024-04-25Bug fixes and enhancements
Improve format of EPSS score and percentile.
Before:
EPSS Score : 0.000440 EPSS Percentile : 0.092510After:
EPSS Score : 0.04% EPSS Percentile : 9th percentileFix markdown output of the
docker scout cvescommand when analyzing local filesystem. docker/scout-cli#113
1.7.0
2024-04-15New
- The
docker scout pushcommand is now fully available: analyze images locally and push the SBOM to Docker Scout.
Bug fixes and enhancements
Fix adding attestations with
docker scout attestation addto images in private repositoriesFix image processing for images based on the empty
scratchbase imageA new
sbom://protocol for Docker Scout CLI commands let you read a Docker Scout SBOM from standard input.$ docker scout sbom IMAGE | docker scout qv sbom://Add classifier for Joomla packages
1.6.4
2024-03-26Bug fixes and enhancements
- Fix epoch handling for RPM-based Linux distributions
1.6.3
2024-03-22Bug fixes and enhancements
- Improve package detection to ignore referenced but not installed packages.
1.6.2
2024-03-22Bug fixes and enhancements
- EPSS data is now fetched via the backend, as opposed to via the CLI client.
- Fix an issue when rendering markdown output using the
sbom://prefix.
Removed
- The
docker scout cves --epss-dateanddocker scout cache prune --epssflags have been removed.
1.6.1
2024-03-20メモThis release only affects the
docker/scout-actionGitHub Action.
New
Add support for passing in SBOM files in SDPX or in-toto SDPX format
uses: docker/scout-action@v1 with: command: cves image: sbom://alpine.spdx.jsonAdd support for SBOM files in
syft-jsonformatuses: docker/scout-action@v1 with: command: cves image: sbom://alpine.syft.json
1.6.0
2024-03-19メモThis release only affects the CLI plugin, not the GitHub Action
New
Add support for passing in SBOM files in SDPX or in-toto SDPX format
$ docker scout cves sbom://path/to/sbom.spdx.jsonAdd support for SBOM files in
syft-jsonformat$ docker scout cves sbom://path/to/sbom.syft.jsonReads SBOM files from standard input
$ syft -o json alpine | docker scout cves sbom://Prioritize CVEs by EPSS score
--epssto display and prioritise the CVEs--epss-scoreand--epss-percentileto filter by score and percentile- Prune cached EPSS files with
docker scout cache prune --epss
Bug fixes and enhancements
Use Windows cache from WSL2
When inside WSL2 with Docker Desktop running, the Docker Scout CLI plugin now uses the cache from Windows. That way, if an image has been indexed for instance by Docker Desktop there's no need anymore to re-index it on WSL2 side.
Indexing is now blocked in the CLI if it has been disabled using Settings Management feature.
Fix a panic that would occur when analyzing a single-image
oci-dirinputImprove local attestation support with the containerd image store
Earlier versions
Release notes for earlier versions of the Docker Scout CLI plugin are available on GitHub.