MCPcopy Index your code
hub / github.com/docker/scout-action

github.com/docker/scout-action @v1.23.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.23.1 ↗ · + Follow
1,392 symbols 3,283 edges 3 files 216 documented · 16% updated 3d agov1.23.1 · 2026-07-04★ 14025 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

About

GitHub Action to run the Docker Scout CLI as part of your workflows.

You can pick one of the following commands to run:

  • quickview: get a quick overview of an image, base image and available recommendations
  • compare: compare an image to a second one (for instance to latest)
  • cves: display vulnerabilities of an image
  • recommendations: display available base image updates and remediation recommendations
  • sbom: generate the SBOM of the image
  • environment: record an image to an environment
  • attestation-add: add attestation to an existing image

Screenshot

Inputs

Command

You can run one or multiple commands in the same GitHub Action run. Use a comma separated list to run several commands.

command required string Single command to run or comma separated list of commands to run in order.

Possible values:

  • `quickview`
  • `compare`
  • `cves`
  • `recommendations`
  • `sbom`
  • `environment`
  • `attestation-add`

|

The commands will be run in the order of the value, and will share the same parameters. If a command exits non-zero (for example when exit-code is true), the action step stops and the remaining commands are not executed.

For instance, if you built an image and want to display a quickview as well as to compare it against the latest indexed one, set the action as following:

command: quickview,compare
image: ${{ steps.meta.outputs.tags }}
to-latest: true

Authentication

Login to Docker Hub

To use scout features you need to be authenticated against Docker Hub.

You can use the parameters below to authenticate, or you can use the docker/login-action.

dockerhub-user optional string Docker Hub user id
dockerhub-password optional string Docker Hub password or PAT

Login to a registry to pull private images (non Docker Hub)

registry-user required to pull from other private registry string Registry user id to pull images
registry-password required to pull from other private registry string Registry password or PAT to pull images

Common Inputs

Image

image optional (*) string Prefixed name of the image, directory or archive to operate on
platform optional current platform by default string Platform of the image to analyze (or the current platform)
ref optional default is empty string Reference to use if the provided tarball containers multiple images, only with archives

(*) If image is not set (or empty) the most recently built image, if any, will be used instead.

Prefix

The image field can be prefixed to indicate the type of content to analyse. If no prefix is set, the image:// prefix is used.

Available prefixes:

  • image://: optional prefix, the target is an image that first will be resolved locally then, if not found, will be resolved to the associated registry
  • local://: only resolve the image from the local image store
  • registry://: do not use the local image store, only use the registry
  • oci-dir://: local directory to be read as an OCI directory
  • archive://: image archive generated by docker save command, as a tar file
  • fs://: local directory or file
  • sbom:// SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM file

Organization namespace

Namespace of the Docker Organization is required to match the query with the right data.

When using environments (for instance to compare an image to the one from a defined environment, or when comparing to the latest indexed) organization parameter is required.

organization required to compare to environments/latest indexed

required to manage environments

optional in other cases, default empty | string | Namespace of the Docker organization |

Step Summary

By default the Markdown output of the command (if supported) will be displayed as a Job Summary. This can be disabled if needed.

summary optional default is true boolean Display output as Job Summary

Pull Request Comments

When triggered by a pull_request event, the output of the scout command can be written as a comment.

This behaviour is enabled by default.

By default one single comment per job step will be kept and updated at each run. If you prefer to keep previous comments but hide them, set the keep-previous-comments parameter to true.

pull-requests: write permission is required to allow the GitHub action to create the comment.

github-token optional default is github.token string GitHub Token to create the comment
write-comment optional default is true boolean Boolean, write a comment with scout output
keep-previous-comments optional default is false boolean If set, keep but hide previous comment. If not set, keep and update one single comment per job

Output

The text version of the command output will be displayed in the logs. The markdown version (if exists) of the command output will be set as an output of the step, using the command name as identifier, and will be displayed as Pull Request comment or Step Summary.

compare Inputs

Compare to an image

to required string Prefixed name of the image, directory or archive to compare with
to-ref optional default is empty string Reference to use if the provided tarball containers multiple images, only with archives

See Prefix above about the available prefixes for the to argument.

Compare to an environment

to-env (*) string Name of the environment to compare with
to-stream deprecated (*) string Name of the stream to compare with
to-latest (*) boolean Compare to latest indexed image

(*) One and only one needs to be defined.

Common Inputs

ignore-unchanged optional default is false boolean Filter out unchanged packages
only-severities optional default is empty (all severities) string Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
only-package-types optional default is empty (all types) string Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
only-fixed optional default is false boolean Filter to fixable CVEs
only-unfixed optional default is false boolean Filter to unfixed CVEs
only-cisa-kev optional default is false boolean Filter to CVEs listed in the CISA Known Exploited Vulnerabilities catalog
exit-code optional default is false boolean Return exit code 2 if vulnerability changes are detected
exit-on optional default is empty string "(compare only) Comma separated list of conditions to fail the action step if worsened, options are: vulnerability, policy"

cves Inputs

only-severities optional default is empty (all severities) string Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by
only-package-types optional default is empty (all types) string Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc)
only-fixed optional default is false boolean Filter to fixable CVEs
only-unfixed optional default is false boolean Filter to unfixed CVEs
ignore-base optional default is false boolean Ignore base image vulnerabilities
sarif-file optional default is empty (no output file) string Write output to a SARIF file for further processing or upload into GitHub code scanning
only-vex-affected optional default is false boolean Filter out CVEs that are marked not affected by a VEX statement
vex-author optional default is empty string List of VEX statement authors to accept
vex-location optional default is empty string File location of directory or file containing VEX statement
ignore-suppressed optional default is false boolean Filter out CVEs affected by Scout suppressions

sbom Inputs

Core symbols most depended-on inside this repo

push
called by 142
index.js
on
called by 109
index.js
toString
called by 74
index.js
destroy
called by 72
index.js
emit
called by 60
index.js
write
called by 50
index.js
step
called by 42
index.js
get
called by 40
index.js

Shape

Function 671
Method 530
Class 191

Languages

TypeScript100%

Modules by API surface

index.js1,389 symbols
src/index.js3 symbols

For agents

$ claude mcp add scout-action \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact