Kicking the Tires of Docker Scout

I never moved away from Docker Desktop.

For some time, after you use it to build an image, it prints a message:

What’s Next?
View a summary of image vulnerabilities and recommendations → docker scout quickview

I decided to give it a try. I’ll use the root commit of my OpenTelemetry tracing demo. Let’s execute the proposed command:

docker scout quickview otel-catalog:1.0

Here’s the result:

✓ Image stored for indexing
✓ Indexed 272 packages
Target │ otel-catalog:1.0 │ 0C 2H 15M 23L
digest │ 7adfce68062e │
Base image │ eclipse-temurin:21-jre │ 0C 0H 15M 23L
Refreshed base image │ eclipse-temurin:21-jre │ 0C 0H 15M 23L
│ │
What’s Next?
View vulnerabilities → docker scout cves otel-catalog:1.0
View base image update recommendations → docker scout recommendations otel-catalog:1.0
Include policy results in your quickview by supplying an organization → docker scout quickview otel-catalog:1.0 –org <organization>

Docker gives out exciting bits of information:

The base image contains 15 middle-severity vulnerabilities and 23 low-severity ones
The final image has an additional two high-level severity
Ergo, our code introduced them!

Following Scout’s suggestion, we can drill down the CVEs:

docker scout cves otel-catalog:1.0

This is the result:

✓ SBOM of image already cached, 272 packages indexed
✗ Detected 18 vulnerable packages with a total of 39 vulnerabilities
## Overview
│ Analyzed Image
Target │ otel-catalog:1.0
digest │ 7adfce68062e
platform │ linux/arm64
vulnerabilities │ 0C 2H 15M 23L
size │ 160 MB
packages │ 272
## Packages and Vulnerabilities
0C 1H 0M 0L org.yaml/snakeyaml 1.33
✗ HIGH CVE-2022-1471 [Improper Input Validation]
Affected range : <=1.33
Fixed version : 2.0
CVSS Score : 8.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
0C 1H 0M 0L io.netty/netty-handler 4.1.100.Final
✗ HIGH CVE-2023-4586 [OWASP Top Ten 2017 Category A9 – Using Components with Known Vulnerabilities]
Affected range : >=4.1.0
: <5.0.0
Fixed version : not fixed
CVSS Score : 7.4
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

The original output is much longer, but I stopped at the exciting bit: the two high-severity CVEs, First, we see the one coming from Netty still needs to be fixed – tough luck. However, Snake YAML fixed its CVE from version 2.0 onward.

I’m not using Snake YAML directly; it’s a Spring dependency brought by Spring. Because of this, no guarantee exists that a major version upgrade will be compatible. But we can surely try. Let’s bump the dependency to the latest version:


We can build the image again and check that it still works. Fortunately, it does. We can execute the process again:

docker scout quickview otel-catalog:1.0

Lo and behold, the high-severity CVE is no more!

✓ Image stored for indexing
✓ Indexed 273 packages
Target │ local://otel-catalog:1.0-1 │ 0C 1H 15M 23L
digest │ 9ddc31cdd304 │
Base image │ eclipse-temurin:21-jre │ 0C 0H 15M 23L


In this short post, we tried Docker Scout, the Docker image vulnerability detection tool. Thanks to it, we removed one high-level CVE we introduced in the code.

To go further:

Docker Scout
4 Free, Easy-To-Use Tools For Docker Vulnerability Scanning

Originally published at A Java Geek on January 14th, 2024

Sponsored Content

Jakarta EE 11: Beyond the Era of Java EE

This user guide provides a brief history of Java EE/Jakarta EE and a detailed overview of some of the specifications that will be updated in Jakarta EE 11.

Get Started

The post Kicking the Tires of Docker Scout appeared first on foojay.