{"id":30103915,"url":"https://github.com/docker-archive-public/docker.scan-cli-plugin","last_synced_at":"2026-06-08T00:00:55.357Z","repository":{"id":43467374,"uuid":"264230297","full_name":"docker-archive-public/docker.scan-cli-plugin","owner":"docker-archive-public","description":"Docker Scan is a Command Line Interface to run vulnerability detection on your Dockerfiles and Docker images","archived":true,"fork":false,"pushed_at":"2023-05-11T20:47:15.000Z","size":564,"stargazers_count":185,"open_issues_count":24,"forks_count":41,"subscribers_count":13,"default_branch":"main","last_synced_at":"2026-04-15T05:02:28.816Z","etag":null,"topics":["docker","docker-container","docker-image","dockerfile","vulnerabilities","vulnerability","vulnerability-detection","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/docker-archive-public.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-05-15T15:30:06.000Z","updated_at":"2025-12-09T09:25:32.000Z","dependencies_parsed_at":"2024-01-13T17:11:00.372Z","dependency_job_id":"52f2c53d-60d3-4a6e-9039-ce6907a999e5","html_url":"https://github.com/docker-archive-public/docker.scan-cli-plugin","commit_stats":null,"previous_names":["docker/docker-scan","docker/scan-cli-plugin"],"tags_count":32,"template":false,"template_full_name":null,"purl":"pkg:github/docker-archive-public/docker.scan-cli-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-archive-public%2Fdocker.scan-cli-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-archive-public%2Fdocker.scan-cli-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-archive-public%2Fdocker.scan-cli-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-archive-public%2Fdocker.scan-cli-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/docker-archive-public","download_url":"https://codeload.github.com/docker-archive-public/docker.scan-cli-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/docker-archive-public%2Fdocker.scan-cli-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34042554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-07T02:00:07.652Z","response_time":124,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-container","docker-image","dockerfile","vulnerabilities","vulnerability","vulnerability-detection","vulnerability-scanners"],"created_at":"2025-08-09T22:02:20.286Z","updated_at":"2026-06-08T00:00:55.135Z","avatar_url":"https://github.com/docker-archive-public.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"![Weekly Build](https://github.com/docker/scan-cli-plugin/workflows/Release%20and%20Weekly%20Build/badge.svg)\n\n# Docker Scan\n\n:warning:\n\nThe `docker scan` command has been removed.\n\nTo continue learning about the vulnerabilities of your images, and many other features, use the new `docker scout` command.\n\nRun `docker scout --help`, or learn more at https://docs.docker.com/engine/reference/commandline/scout/\n\n---\n\nDocker Scan is a Command Line Interface to run vulnerability detection on your Dockerfiles and Docker images.\n\n\n### Table of Contents\n - **[How to use it](#how-to-use-it)**\n * **[Third Party consent](#login-and-third-party-providers)**\n * **[Scan Image or Dockerfile](#scanning)**\n * **[Provider Authentication](#provider-authentication)**\n - **[Install Docker Scan](#install-docker-scan)**\n * **[Mac \u0026 Windows](#on-macos--windows)**\n * **[Linux](#on-linux)**\n - **[Build Docker Scan](#how-to-build-docker-scan)**\n - **[Contributing](#contributing)**\n\n## How to use it\n\n### Login and Third Party Providers\n\nYou need to be logged into the Docker Hub in order to use the `docker scan` command.\nDocker Scan works with third party providers to detect vulnerabilities,\nthe plugin will ask for your consent before sending any data to the provider.\n```console\n$ docker scan hello-world\n? Docker Scan relies upon access to Snyk a third party provider, do you consent to proceed using Snyk? (y/N)\n```\n\n### Scanning\n\nDocker Scan allows you to scan existing Docker images by name or ID.\n\n* You can then use `docker scan DOCKER_IMAGE`:\n```console\n$ docker scan hello-world\n\n Testing hello-world...\n\n Organization: docker-desktop-test\n Package manager: linux\n Project name: docker-image|hello-world\n Docker image: hello-world\n Licenses: enabled\n\n ✓ Tested 0 dependencies for known issues, no vulnerable paths found.\n\n Note that we do not currently have vulnerability data for your image.\n```\n\nIf you want more details, you can provide the Dockerfile used to create the image\n* the syntax is `docker scan -f PATH_TO_DOCKERFILE DOCKER_IMAGE`\n\nIf we apply the option to the current repository, we have:\n```console\n$ docker scan -f Dockerfile docker-scan:e2e\nTesting docker-scan:e2e\n...\n✗ High severity vulnerability found in perl\n Description: Integer Overflow or Wraparound\n Info: https://snyk.io/vuln/SNYK-DEBIAN10-PERL-570802\n Introduced through: git@1:2.20.1-2+deb10u3, meta-common-packages@meta\n From: git@1:2.20.1-2+deb10u3 \u003e perl@5.28.1-6\n From: git@1:2.20.1-2+deb10u3 \u003e liberror-perl@0.17027-2 \u003e perl@5.28.1-6\n From: git@1:2.20.1-2+deb10u3 \u003e perl@5.28.1-6 \u003e perl/perl-modules-5.28@5.28.1-6\n and 3 more...\n Introduced by your base image (golang:1.14.6)\n\n\n\nOrganization: docker-desktop-test\nPackage manager: deb\nTarget file: Dockerfile\nProject name: docker-image|99138c65ebc7\nDocker image: 99138c65ebc7\nBase image: golang:1.14.6\nLicenses: enabled\n\nTested 200 dependencies for known issues, found 157 issues.\n\nAccording to our scan, you are currently using the most secure version of the selected base image\n```\n\nWhen using the `scan` command with the `-f` flag, you can exclude the base image (i.e.: that specified in the Dockerfile with the `FROM` directive) vulnerabilities from your report by adding the `--exclude-base` tag.\n```console\n$ docker scan -f Dockerfile --exclude-base docker-scan:e2e\nTesting docker-scan:e2e\n...\n✗ Medium severity vulnerability found in libidn2/libidn2-0\n Description: Improper Input Validation\n Info: https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100\n Introduced through: iputils/iputils-ping@3:20180629-2+deb10u1, wget@1.20.1-1.1, curl@7.64.0-4+deb10u1, git@1:2.20.1-2+deb10u3\n From: iputils/iputils-ping@3:20180629-2+deb10u1 \u003e libidn2/libidn2-0@2.0.5-1+deb10u1\n From: wget@1.20.1-1.1 \u003e libidn2/libidn2-0@2.0.5-1+deb10u1\n From: curl@7.64.0-4+deb10u1 \u003e curl/libcurl4@7.64.0-4+deb10u1 \u003e libidn2/libidn2-0@2.0.5-1+deb10u1\n and 3 more...\n Introduced in your Dockerfile by 'RUN apk add -U --no-cache wget tar'\n\n\n\nOrganization: docker-desktop-test\nPackage manager: deb\nTarget file: Dockerfile\nProject name: docker-image|99138c65ebc7\nDocker image: 99138c65ebc7\nBase image: golang:1.14.6\nLicenses: enabled\n\nTested 200 dependencies for known issues, found 16 issues.\n```\n\nYou can also display the scan result as a JSON output by adding the `--json` flag to the command:\n```console\n$ docker scan --json hello-world\n{\n \"vulnerabilities\": [],\n \"ok\": true,\n \"dependencyCount\": 0,\n \"org\": \"docker-desktop-test\",\n \"policy\": \"# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\\nversion: v1.19.0\\nignore: {}\\npatch: {}\\n\",\n \"isPrivate\": true,\n \"licensesPolicy\": {\n \"severities\": {},\n \"orgLicenseRules\": {\n \"AGPL-1.0\": {\n \"licenseType\": \"AGPL-1.0\",\n \"severity\": \"high\",\n \"instructions\": \"\"\n },\n ...\n \"SimPL-2.0\": {\n \"licenseType\": \"SimPL-2.0\",\n \"severity\": \"high\",\n \"instructions\": \"\"\n }\n }\n },\n \"packageManager\": \"linux\",\n \"ignoreSettings\": null,\n \"docker\": {\n \"baseImageRemediation\": {\n \"code\": \"SCRATCH_BASE_IMAGE\",\n \"advice\": [\n {\n \"message\": \"Note that we do not currently have vulnerability data for your image.\",\n \"bold\": true,\n \"color\": \"yellow\"\n }\n ]\n },\n \"binariesVulns\": {\n \"issuesData\": {},\n \"affectedPkgs\": {}\n }\n },\n \"summary\": \"No known vulnerabilities\",\n \"filesystemPolicy\": false,\n \"uniqueCount\": 0,\n \"projectName\": \"docker-image|hello-world\",\n \"path\": \"hello-world\"\n}\n```\n\nIn addition to the `--json` flag, you can use the `--group-issues` flag to display only once a vulnerability\n```console\n$ docker scan --json --group-issues docker-scan:e2e\n{\n {\n \"title\": \"Improper Check for Dropped Privileges\",\n ...\n \"packageName\": \"bash\",\n \"language\": \"linux\",\n \"packageManager\": \"debian:10\",\n \"description\": \"## Overview\\nAn issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \\\"saved UID\\\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \\\"enable -f\\\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.\\n\\n## References\\n- [CONFIRM](https://security.netapp.com/advisory/ntap-20200430-0003/)\\n- [Debian Security Tracker](https://security-tracker.debian.org/tracker/CVE-2019-18276)\\n- [GitHub Commit](https://github.com/bminor/bash/commit/951bdaad7a18cc0dc1036bba86b18b90874d39ff)\\n- [MISC](http://packetstormsecurity.com/files/155498/Bash-5.0-Patch-11-Privilege-Escalation.html)\\n- [MISC](https://www.youtube.com/watch?v=-wGtxJ8opa8)\\n- [Ubuntu CVE Tracker](http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-18276)\\n\",\n \"identifiers\": {\n \"ALTERNATIVE\": [],\n \"CVE\": [\n \"CVE-2019-18276\"\n ],\n \"CWE\": [\n \"CWE-273\"\n ]\n },\n \"severity\": \"low\",\n \"severityWithCritical\": \"low\",\n \"cvssScore\": 7.8,\n \"CVSSv3\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F\",\n ...\n \"from\": [\n \"docker-image|docker-scan@e2e\",\n \"bash@5.0-4\"\n ],\n \"upgradePath\": [],\n \"isUpgradable\": false,\n \"isPatchable\": false,\n \"name\": \"bash\",\n \"version\": \"5.0-4\"\n },\n ...\n \"summary\": \"880 vulnerable dependency paths\",\n \"filesystemPolicy\": false,\n \"filtered\": {\n \"ignore\": [],\n \"patch\": []\n },\n \"uniqueCount\": 158,\n \"projectName\": \"docker-image|docker-scan\",\n \"platform\": \"linux/amd64\",\n \"path\": \"docker-scan:e2e\"\n}\n```\nYou can find all the sources of the vulnerability in the `from` section.\n\nIf you want to see the dependency tree of your image, you can use the `--dependency-tree` flag, to display all the dependencies before the scan result\n```console\n$ docker-image|99138c65ebc7 @ latest\n ├─ ca-certificates @ 20200601~deb10u1\n │ └─ openssl @ 1.1.1d-0+deb10u3\n │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3\n ├─ curl @ 7.64.0-4+deb10u1\n │ └─ curl/libcurl4 @ 7.64.0-4+deb10u1\n │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3\n │ ├─ krb5/libgssapi-krb5-2 @ 1.17-3\n │ │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3\n │ │ ├─ krb5/libk5crypto3 @ 1.17-3\n │ │ │ └─ krb5/libkrb5support0 @ 1.17-3\n │ │ ├─ krb5/libkrb5-3 @ 1.17-3\n │ │ │ ├─ e2fsprogs/libcom-err2 @ 1.44.5-1+deb10u3\n │ │ │ ├─ krb5/libk5crypto3 @ 1.17-3\n │ │ │ ├─ krb5/libkrb5support0 @ 1.17-3\n │ │ │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3\n │ │ └─ krb5/libkrb5support0 @ 1.17-3\n │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1\n │ │ └─ libunistring/libunistring2 @ 0.9.10-1\n │ ├─ krb5/libk5crypto3 @ 1.17-3\n │ ├─ krb5/libkrb5-3 @ 1.17-3\n │ ├─ openldap/libldap-2.4-2 @ 2.4.47+dfsg-3+deb10u2\n │ │ ├─ gnutls28/libgnutls30 @ 3.6.7-4+deb10u4\n │ │ │ ├─ nettle/libhogweed4 @ 3.4.1-1\n │ │ │ │ └─ nettle/libnettle6 @ 3.4.1-1\n │ │ │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1\n │ │ │ ├─ nettle/libnettle6 @ 3.4.1-1\n │ │ │ ├─ p11-kit/libp11-kit0 @ 0.23.15-2\n │ │ │ │ └─ libffi/libffi6 @ 3.2.1-9\n │ │ │ ├─ libtasn1-6 @ 4.13-3\n │ │ │ └─ libunistring/libunistring2 @ 0.9.10-1\n │ │ ├─ cyrus-sasl2/libsasl2-2 @ 2.1.27+dfsg-1+deb10u1\n │ │ │ └─ cyrus-sasl2/libsasl2-modules-db @ 2.1.27+dfsg-1+deb10u1\n │ │ │ └─ db5.3/libdb5.3 @ 5.3.28+dfsg1-0.5\n │ │ └─ openldap/libldap-common @ 2.4.47+dfsg-3+deb10u2\n │ ├─ nghttp2/libnghttp2-14 @ 1.36.0-2+deb10u1\n │ ├─ libpsl/libpsl5 @ 0.20.2-2\n │ │ ├─ libidn2/libidn2-0 @ 2.0.5-1+deb10u1\n │ │ └─ libunistring/libunistring2 @ 0.9.10-1\n │ ├─ rtmpdump/librtmp1 @ 2.4+20151223.gitfa8646d.1-2\n │ │ ├─ gnutls28/libgnutls30 @ 3.6.7-4+deb10u4\n │ │ ├─ nettle/libhogweed4 @ 3.4.1-1\n │ │ └─ nettle/libnettle6 @ 3.4.1-1\n │ ├─ libssh2/libssh2-1 @ 1.8.0-2.1\n │ │ └─ libgcrypt20 @ 1.8.4-5\n │ └─ openssl/libssl1.1 @ 1.1.1d-0+deb10u3\n ├─ gnupg2/dirmngr @ 2.2.12-1+deb10u1\n ...\n\nOrganization: docker-desktop-test\nPackage manager: deb\nProject name: docker-image|99138c65ebc7\nDocker image: 99138c65ebc7\nLicenses: enabled\n\nTested 200 dependencies for known issues, found 157 issues.\n```\nIf you want to only display some level of vulnerabilities, the `--severity` flag allows you to choose between 3 levels of\nvulnerabilities `low`,`medium` or `high`. By using this tag you will only report vulnerabilities of the provided level\n or higher.\n\n ```console\n$ docker scan --severity=medium docker-scan:e2e\n./bin/docker-scan_darwin_amd64 scan --severity=medium docker-scan:e2e\n\nTesting docker-scan:e2e...\n\n✗ Medium severity vulnerability found in sqlite3/libsqlite3-0\n Description: Divide By Zero\n Info: https://snyk.io/vuln/SNYK-DEBIAN10-SQLITE3-466337\n Introduced through: gnupg2/gnupg@2.2.12-1+deb10u1, subversion@1.10.4-1+deb10u1, mercurial@4.8.2-1+deb10u1\n From: gnupg2/gnupg@2.2.12-1+deb10u1 \u003e gnupg2/gpg@2.2.12-1+deb10u1 \u003e sqlite3/libsqlite3-0@3.27.2-3\n From: subversion@1.10.4-1+deb10u1 \u003e subversion/libsvn1@1.10.4-1+deb10u1 \u003e sqlite3/libsqlite3-0@3.27.2-3\n From: mercurial@4.8.2-1+deb10u1 \u003e python-defaults/python@2.7.16-1 \u003e python2.7@2.7.16-2+deb10u1 \u003e python2.7/libpython2.7-stdlib@2.7.16-2+deb10u1 \u003e sqlite3/libsqlite3-0@3.27.2-3\n\n✗ Medium severity vulnerability found in sqlite3/libsqlite3-0\n Description: Uncontrolled Recursion\n...\n✗ High severity vulnerability found in binutils/binutils-common\n Description: Missing Release of Resource after Effective Lifetime\n Info: https://snyk.io/vuln/SNYK-DEBIAN10-BINUTILS-403318\n Introduced through: gcc-defaults/g++@4:8.3.0-1\n From: gcc-defaults/g++@4:8.3.0-1 \u003e gcc-defaults/gcc@4:8.3.0-1 \u003e gcc-8@8.3.0-6 \u003e binutils@2.31.1-16 \u003e binutils/binutils-common@2.31.1-16\n From: gcc-defaults/g++@4:8.3.0-1 \u003e gcc-defaults/gcc@4:8.3.0-1 \u003e gcc-8@8.3.0-6 \u003e binutils@2.31.1-16 \u003e binutils/libbinutils@2.31.1-16 \u003e binutils/binutils-common@2.31.1-16\n From: gcc-defaults/g++@4:8.3.0-1 \u003e gcc-defaults/gcc@4:8.3.0-1 \u003e gcc-8@8.3.0-6 \u003e binutils@2.31.1-16 \u003e binutils/binutils-x86-64-linux-gnu@2.31.1-16 \u003e binutils/binutils-common@2.31.1-16\n and 4 more...\n\nOrganization: docker-desktop-test\nPackage manager: deb\nProject name: docker-image|docker-scan\nDocker image: docker-scan:e2e\nPlatform: linux/amd64\nLicenses: enabled\n\nTested 200 dependencies for known issues, found 37 issues.\n```\n\n### Provider Authentication\n\nIf you have an existing Snyk account, you can directly use your auth token\n```console\n$ docker scan --login --token PROVIDER_AUTH_TOKEN\n```\n\nYou need to get a Snyk [API token](https://app.snyk.io/account) and then use it like this\n```console\n$ docker scan --login --token c68dc480-27bd-45ee-9f5c-XXXXXXXXXXXX\n\nYour account has been authenticated. Snyk is now ready to be used.\n```\n\nIf you use the `--login` command without any token, you will be redirected to the Snyk website to login.\n\n## Install Docker Scan\n\n### On macOS \u0026 Windows:\n\nDocker Desktop comes with Docker scan already installed.\nJust try to use the plugin, open a terminal and write the following command:\n\n```console\n$ docker scan\nUsage: docker scan [OPTIONS] IMAGE\n\nA tool to scan your images\n\nOptions:\n --accept-license Accept using a third party scanning provider\n --dependency-tree Show dependency tree with scan results\n --exclude-base Exclude base image from vulnerability scanning (requires --file)\n -f, --file string Dockerfile associated with image, provides more detailed results\n --json Output results in JSON format\n --login Authenticate to the scan provider using an optional token (with --token), or web base token if empty\n --reject-license Reject using a third party scanning provider\n --token string Authentication token to login to the third party scanning provider\n --version Display version of the scan plugin\n```\n\nIf you get the following error message, you're not using the latest version of Docker Desktop\n`docker: 'scan' is not a docker command.`\n\n### On Linux\n\nDocker packaging on Linux comes with Docker scan plugin.\nYou can simply install Docker following the [standard linux install](https://docs.docker.com/engine/install/#server)\n\nJust try to use the plugin, open a terminal and type the following command:\n\n```console\n$ docker scan\nUsage: docker scan [OPTIONS] IMAGE\n```\n\nIf you get the following error message, you're not using the latest version of Docker on Linux\n`docker: 'scan' is not a docker command.`\n\nAlternatively, you can manually install the scan docker plugin on top of your existing docker setup :\nDownload the binary from the latest release and copy it in the `cli-plugins` directory\n```sh\nmkdir -p ~/.docker/cli-plugins \u0026\u0026 \\\ncurl https://github.com/docker/scan-cli-plugin/releases/latest/download/docker-scan_linux_amd64 -L -s -S -o ~/.docker/cli-plugins/docker-scan \u0026\u0026\\\nchmod +x ~/.docker/cli-plugins/docker-scan\n```\n\n## How to build docker scan\n\nYou'll find all the commands to build, run and test Docker Scan inside the [`BUILDING.md`](./BUILDING.md) file.\n\n## Contributing\n\nWant to contribute to Docker Scan? Awesome!\nFirst be sure to read the [Code of conduct](./CODE_OF_CONDUCT.md).\nYou can find information about contributing to this project in the [`CONTRIBUTING.md`](./CONTRIBUTING.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker-archive-public%2Fdocker.scan-cli-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdocker-archive-public%2Fdocker.scan-cli-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdocker-archive-public%2Fdocker.scan-cli-plugin/lists"}