---
description: Learn about vulnerability scanning and Docker Scout image analysis in Docker Hub.
keywords: scanning, vulnerabilities, Hub, static
title: Image security insights
weight: 70
aliases:
- /docker-hub/vulnerability-scanning/
---

Strengthen the security of your Docker images with Docker Hub's image security
insights. Docker Hub lets you perform either point-in-time static vulnerability
scanning or always up-to-date image analysis using Docker Scout.

## Docker Scout image analysis

After turning on Docker Scout image analysis, Docker Scout automatically
analyzes images in your Docker Hub repository.

Image analysis extracts the Software Bill of Material (SBOM) and other image
metadata, and evaluates it against vulnerability data from security advisories.

The following sections describe how to turn on or off Docker Scout image
analysis for a Docker Hub repository. For more details about the image analysis,
see [Docker Scout](/manuals/scout/_index.md).

### Turn on Docker Scout image analysis

1. Sign in to [Docker Hub](https://hub.docker.com).
2. Select **My Hub** > **Repositories**.

   A list of your repositories appears.

3. Select a repository.

   The **General** page for the repository appears.

4. Select the **Settings** tab.
5. Under **Image security insight settings**, select **Docker Scout image analysis**.
6. Select **Save**.

### Turn off Docker Scout image analysis

1. Sign in to [Docker Hub](https://hub.docker.com).
2. Select **My Hub** > **Repositories**.

   A list of your repositories appears.

3. Select a repository.

   The **General** page for the repository appears.

4. Select the **Settings** tab.
5. Under **Image security insight settings**, select **None**.
6. Select **Save**.


## Static vulnerability scanning

> [!NOTE]
>
> Docker Hub static vulnerability scanning requires a Docker Pro, Team, or
> Business subscription.

When you push an image to a Docker Hub repository after turning on static
scanning, Docker Hub automatically scans the image to identify vulnerabilities.
The scan results shows the security state of your images at the time when the
scan was run.

Scan results include:

- The source of the vulnerability, such as Operating System (OS) packages and
  libraries
- The version in which it was introduced
- A recommended fixed version, if available, to remediate the vulnerabilities
  discovered.

### Changes to static scanning in Docker Hub

From February 27th, 2023, Docker changed the technology that supports the
Docker Hub static scanning feature. The static scanning is now powered natively
by Docker, instead of a third-party.

As a result of this change, scanning now detects vulnerabilities at a more
granular level than before. This in turn means that vulnerability reports may
show a higher number of vulnerabilities. If you used vulnerability scanning
before February 27th, 2023, you may see that new vulnerability reports list a
higher number of vulnerabilities, due to a more thorough analysis.

There is no action required on your part. Scans continue to run as usual
with no interruption or changes to pricing. Historical data continues to be
available.

### Turn on static vulnerability scanning

Repository owners and administrators can enable static vulnerability scanning
on a repository. If you are a member of a Team or a Business subscription,
ensure the repository you would like to enable scanning on is part of the Team
or a Business tier.

When scanning is active on a repository, anyone with push access can trigger a
scan by pushing an image to Docker Hub.

To enable static vulnerability scanning:

> [!NOTE]
>
> Static vulnerability scanning supports scanning images which are of AMD64
> architecture, Linux OS, and are less than 10 GB in size.

1. Sign in to [Docker Hub](https://hub.docker.com).
2. Select **My Hub** > **Repositories**.

   A list of your repositories appears.

3. Select a repository.

   The **General** page for the repository appears.

4. Select the **Settings** tab.