Docker Scout es la respuesta de Docker Inc. al panorama de vulnerability scanning para containers. Integrado en Docker Desktop, CLI y Docker Hub, escanea imágenes continuously y sugiere remediaciones. Compite con Trivy, Grype, Snyk Container. Este artículo cubre qué ofrece y cuándo compete.
Features
- CVE scanning de images.
- SBOM generation automático.
- Base image recommendations: qué cambiar para fix CVEs.
- Policy evaluation: fail builds si CVEs críticas.
- Integración: Docker Desktop, Docker Hub, GitHub Actions, CI generic.
- Continuous monitoring: re-scan cuando aparecen CVEs nuevas.
Uso básico
CLI directo:
# Scan a local image
docker scout cves my-app:1.0
# Check recommendations
docker scout recommendations my-app:1.0
# Compare two images
docker scout compare my-app:1.0 --to my-app:1.1
# Policy evaluation
docker scout policy my-app:1.0Setup trivial. Usuarios Docker Desktop lo tienen by default.
CI Integration
GitHub Actions:
- uses: docker/scout-action@v1
with:
command: cves,recommendations
image: ${{ env.IMAGE_REF }}
only-severities: critical,highFail builds si CVEs críticas. Consistent quality gate.
Docker Scout vs Trivy
| Aspecto | Docker Scout | Trivy |
|---|---|---|
| CVE database | Docker Hub + NVD | Aqua DB + NVD |
| Open source | Closed | Open source |
| Base image recs | Built-in | Plugin |
| Continuous monitor | Sí (pagado) | Via CI re-run |
| Integración Hub | Native | External |
| Price | Free tier + paid | Free |
| SBOM | Sí | Sí |
| Enterprise features | Pagado | Aqua Enterprise |
Trivy es default gratuito. Scout mejor integrado Docker ecosystem.
Casos donde Scout gana
- Docker Desktop users: workflow seamless.
- Docker Hub customers: continuous scanning del registry.
- Base image recs útiles para devs no expertos.
- Managed experience: less config que Trivy CI custom.
Casos donde Trivy gana
- Open source strict: Trivy es free, MIT.
- Custom CI/CD: Trivy más flexible integration.
- Multi-target: Trivy scan filesystems, repos, K8s configs.
- Self-hosted: Trivy sin dependencias de SaaS Docker.
Scout pricing
- Free tier: basic scanning en Docker Desktop/CLI.
- Docker Team ($11/user/mes): scanning continuous + policies.
- Docker Business ($24/user/mes): features empresariales.
- Docker Hub integration: incluido con subscription.
Comparación: Trivy Open free, Aqua Enterprise customization.
Base image recommendations
Feature diferenciadora:
Your image: node:18-slim
Issues: 3 critical, 15 high CVEs
Recommendations:
1. Upgrade to node:20-slim (0 critical, 5 high) — mejor.
2. Switch to node:20-alpine (0 critical, 2 high) — smaller.
3. Switch to cgr.dev/chainguard/node:latest (0 CVEs) — best.Helpful para devs sin security expertise.
Policies
Define policies organizacionales:
policies:
- name: no-critical-cves
check: cves-criticas == 0
- name: no-high-in-base
check: high_cves_en_base == 0
- name: signed-images
check: image_signedFailures en CI bloquean deploy.
SBOM
Scout genera SBOM en formats:
- SPDX.
- CycloneDX.
- Docker’s native format.
Útil para compliance supply chain (SLSA, NIS2).
Continuous monitoring
Feature pagada:
- Scout re-scanea imágenes en Hub continuously.
- Nueva CVE publicada → notification.
- Dashboard con security posture.
- Trends over time.
Competencia directa con Snyk Container continuous monitoring.
Integración con policies Docker Hub
Con Docker Business, el flow:
- Push image to Hub.
- Scout auto-scan.
- Si violates policy, Hub marca con warning.
- Optional: block deploys downstream vía webhook.
Supply chain security at registry layer.
Comparación con Snyk
Snyk tiene mayor scope (code, deps, containers, IaC). Scout focuses solo containers.
Si ya usas Snyk: Scout no añade mucho. Si solo tienes containers: Scout más simple + integrado Docker.
Limitations
- Closed source: algunos security teams prefieren auditable.
- Docker-centric: no tan flexible fuera Docker ecosystem.
- Pricing: tier pagado for features más útiles.
- False positives: similar a todos los scanners.
Ejemplo workflow CI
GitHub Actions complete:
name: build-and-scan
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
- name: Scout CVE check
uses: docker/scout-action@v1
with:
command: cves
image: ghcr.io/${{ github.repository }}:${{ github.sha }}
only-severities: critical,high
exit-code: trueBlock if critical/high CVEs.
Tendencias
El ecosistema container security convergen en:
- Continuous scanning (not just build-time).
- Signed images (Sigstore / cosign).
- SBOM requirement (supply chain).
- Policy-as-code.
- CVE context: qué CVEs son realmente exploitable.
Scout, Trivy, Grype, Snyk todos moving this direction.
Conclusión
Docker Scout es tool competente para container security, especialmente si ya estás en Docker ecosystem. Su integración con Docker Desktop/Hub es frictionless. Para open-source puro y multi-target, Trivy sigue siendo mejor. Para enterprise con Snyk existente, Snyk cubre más. La decisión es qué ecosystem vs qué feature. Para mid-size teams, Scout + policies puede ser path de menor fricción a container security sólida.
Síguenos en jacar.es para más sobre container security, CVE management y DevSecOps.
