1. Using Docker Scout via CLI

• Ensure Docker is up-to-date (version 4.17 or later) to access Docker Scout.
• The command syntax has changed from docker scan <image name>:<tag> to docker scout <subcommand> <image name>.
• Run docker scout --help to see five available subcommands, with a focus on cves and recommendations.

2. docker scout cves Subcommand

• Example : docker scout cves node:20.0.0-bullseye.
• If the image isn’t local, Docker Scout pulls it from Docker Hub.
• The tool indexes packages and lists detected vulnerabilities, e.g., 38 vulnerable packages and 116 vulnerabilities (including high- and low-level issues).
• Each vulnerability includes its official name and a link to dso.docker.com, Docker's vulnerability database.

3. docker scout recommendations Subcommand

• Example : After building a simple Dockerfile with node:20.0.0-bullseye, run docker scout recommendations simple-image.
• The output suggests updating the base image to a newer version but notes that upgrading to the latest version of the same tag increased vulnerabilities.
• This subcommand could benefit from clearer output, as it may be confusing in some cases.

4. Using Docker Scout in Docker Desktop (GUI)

• In Docker Desktop, navigate to “Images” and select an image (e.g., simple-image).
• The GUI shows a detailed vulnerability summary similar to the CLI, but in a more user-friendly format.
• Users can filter by "fixable" vulnerabilities, highlighting packages with available patches.
• The GUI also displays installed packages and a summary of base images.

5. Automating Docker Scout with GitHub Actions

• Docker Scout can be automated within continuous integration (CI) workflows using the official "Scout action" GitHub Action.