Articles

Scan Docker Images for CVEs with Trivy and Docker Scout (2026)

April 16, 2026 4 min read

Docker Scout is a new tool that lets you scan your Docker images for CVEs, but it’s not a replacement for Trivy.

Here’s how you can use both to get a comprehensive view of your image security.

Docker Scout: Quick Look, High-Level Overview

Docker Scout is designed for quick, at-a-glance vulnerability assessments. It’s integrated into Docker Desktop and the Docker Hub, making it super accessible.

What it does: Scout provides a summary of vulnerabilities, often categorized by severity. It’s great for an initial check before you even push an image to a registry or when you’re just exploring an image.

Example: Let’s say you build an image locally. You can run docker scout vuln . in your project directory.

# In your project directory with a Dockerfile
docker scout vuln .

This will output something like:

...
High:
  - CVE-2023-1234: Vulnerable component 'openssl' version 1.1.1k-r0 (installed: 1.1.1k-r0, fixed: 1.1.1s-r0)
    More info: https://avd.aquasec.com/nvd/CVE-2023-1234
Medium:
  - CVE-2023-5678: Vulnerable component 'curl' version 7.74.0-r1 (installed: 7.74.0-r1, fixed: 7.85.0-r0)
    More info: https://avd.aquasec.com/nvd/CVE-2023-5678
...

The Catch: Docker Scout’s free tier has limitations on the depth and frequency of scans, especially for images not hosted on Docker Hub. It’s more of a convenience tool than a deep-dive security scanner for production pipelines.

Trivy: Deep Dive, Pipeline Ready

Trivy is a more robust, open-source scanner that’s a staple in CI/CD pipelines. It offers more granular control and a wider range of scan types.

What it does: Trivy scans images for OS package vulnerabilities (like Apt, Yum, Alpine), application dependencies (npm, Pip, Maven), IaC misconfigurations, and secrets. It’s designed to be run programmatically and provides detailed JSON or text output.

Example: To scan a Docker image for vulnerabilities, you’d typically run:

trivy image --severity HIGH,CRITICAL --format json --output results.json my-docker-image:latest

This command:

  • image: Specifies that we’re scanning a Docker image.
  • --severity HIGH,CRITICAL: Filters results to only show high and critical severity vulnerabilities.
  • --format json: Outputs the results in JSON format, ideal for programmatic parsing.
  • --output results.json: Saves the output to a file named results.json.
  • my-docker-image:latest: The name and tag of the image to scan.

Why this works: Trivy has a comprehensive, frequently updated vulnerability database. It analyzes the layers of your Docker image, identifies installed packages and their versions, and cross-references them against its database. For application dependencies, it dives into package manager lock files or analyses the installed application libraries.

Combining Them for the Best of Both Worlds

You can use Docker Scout for quick checks and initial feedback directly within your Docker Desktop environment, and then integrate Trivy into your CI/CD pipeline for thorough, automated security checks.

  1. Local Development (Docker Scout): Use docker scout vuln . to get an immediate sense of vulnerabilities as you’re building. This helps catch obvious issues early.
  2. CI/CD Pipeline (Trivy): In your build pipeline (e.g., GitHub Actions, GitLab CI), use Trivy to perform a deep scan. Configure it to fail the build if critical vulnerabilities are found.

Example CI/CD Integration (Conceptual GitHub Actions):

name: Build and Scan Image

on: [push]

jobs:
  build-and-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build Docker image
        id: docker_build
        uses: docker/build-push-action@v4
        with:
          context: .
          push: false # Don't push, just build for scanning
          tags: my-app:latest

      - name: Scan with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'my-app:latest'
          format: 'table'
          ignore-unfixed: true # Optional: ignore vulnerabilities with no fix
          exit-code: '1' # Fail build if vulnerabilities are found (adjust severity if needed)
          # severity: 'CRITICAL,HIGH' # Optional: specify minimum severity to fail on

This GitHub Actions workflow builds your Docker image and then uses the trivy-action to scan it. If Trivy finds vulnerabilities (based on the exit-code or severity configuration), the action will fail, stopping your pipeline.

The nuance that often trips people up is understanding that Docker Scout’s primary value is its integration and ease of use for individual developers, while Trivy excels in automation and detailed reporting for production environments. Relying solely on one for all your needs will likely lead to either missed vulnerabilities or overly complex local workflows.

The next step after ensuring your images are secure is to think about how to manage the runtime security of your containers.

Want structured learning?

Take the full Docker course →