Analyzing Images Locally with Docker Scout: Docker Desktop and CLI

1. Sign in with your Docker ID, either using the `docker login` command or the **Sign in** button in Docker Desktop. 2. Build and push the image that you want to analyze. ```console $ docker build --push --tag <org>/<image:tag> --provenance=true --sbom=true . ``` Building with the `--provenance=true` and `--sbom=true` flags attaches [build attestations](/manuals/build/metadata/attestations/_index.md) to the image. Docker Scout uses attestations to provide more fine-grained analysis results. > [!NOTE] > > The default `docker` driver only supports build attestations if you use the > [containerd image store](/manuals/desktop/features/containerd.md). 3. Go to the [Images page](https://scout.docker.com/reports/images) in the Docker Scout Dashboard. The image appears in the list shortly after you push it to the registry. It may take a few minutes for the analysis results to appear. ## Analyze images locally You can analyze local images with Docker Scout using Docker Desktop or the `docker scout` commands for the Docker CLI. ### Docker Desktop > [!NOTE] > > Docker Desktop background indexing supports images up to 10 GB in size. > See [Maximum image size](#maximum-image-size). To analyze an image locally using the Docker Desktop GUI: 1. Pull or build the image that you want to analyze. 2. Go to the **Images** view in the Docker Dashboard. 3. Select one of your local images in the list. This opens the [Image details view](./image-details-view.md), showing a breakdown of packages and vulnerabilities found by the Docker Scout analysis for the image you selected. ### CLI The `docker scout` CLI commands provide a command line interface for using Docker Scout from your terminal. - `docker scout quickview`: summary of the specified image, see [Quickview](#quickview) - `docker scout cves`: local analysis of the specified image, see [CVEs](#cves) - `docker scout compare`: analyzes and compares two images By default, the results are printed to standard output. You can also export results to a file in a structured format, such as Static Analysis Results Interchange Format (SARIF). #### Quickview The `docker scout quickview` command provides an overview of the vulnerabilities found in a given image and its base image. ```console $ docker scout quickview traefik:latest ✓ SBOM of image already cached, 311 packages indexed Your image traefik:latest │ 0C 2H 8M 1L Base image alpine:3 │ 0C 0H 0M 0L ``` If your the base image is out of date, the `quickview` command also shows how updating your base image would change the vulnerability exposure of your image. ```console $ docker scout quickview postgres:13.1 ✓ Pulled ✓ Image stored for indexing ✓ Indexed 187 packages Your image postgres:13.1 │ 17C 32H 35M 33L Base image debian:buster-slim │ 9C 14H 9M 23L Refreshed base image debian:buster-slim │ 0C 1H 6M 29L │ -9 -13 -3 +6 Updated base image debian:stable-slim │ 0C 0H 0M 17L │ -9 -14 -9 -6 ``` #### CVEs The `docker scout cves` command gives you a complete view of all the vulnerabilities in the image. This command supports several flags that lets you specify more precisely which vulnerabilities you're interested in, for example, by severity or package type: ```console $ docker scout cves --format only-packages --only-vuln-packages \ --only-severity critical postgres:13.1

Docker Scout enables local image analysis through Docker Desktop and the Docker CLI. Using Docker Desktop, users can view detailed image breakdowns in the Images view. The Docker CLI offers commands like 'docker scout quickview' for vulnerability summaries and 'docker scout cves' for a complete view of vulnerabilities, with options to filter by severity or package type. The 'quickview' command also suggests base image updates to reduce vulnerability exposure.