GitHub Action to run the Docker Scout CLI as part of your workflows.
You can pick one of the following commands to run:
quickview: get a quick overview of an image, base image and available recommendationscompare: compare an image to a second one (for instance to latest)cves: display vulnerabilities of an imagerecommendations: display available base image updates and remediation recommendationssbom: generate the SBOM of the imageenvironment: record an image to an environmentattestation-add: add attestation to an existing imageYou can run one or multiple commands in the same GitHub Action run. Use a comma separated list to run several commands.
command |
required | string |
Single command to run or comma separated list of commands to run in order. |
Possible values:
|
The commands will be run in the order of the value, and will share the same parameters. If a command exits non-zero (for example when exit-code is true), the action step stops and the remaining commands are not executed.
For instance, if you built an image and want to display a quickview as well as to compare it against the latest
indexed one, set the action as following:
command: quickview,compare
image: ${{ steps.meta.outputs.tags }}
to-latest: true
To use scout features you need to be authenticated against Docker Hub.
You can use the parameters below to authenticate, or you can use the
docker/login-action.
dockerhub-user |
optional | string |
Docker Hub user id |
dockerhub-password |
optional | string |
Docker Hub password or PAT |
registry-user |
required to pull from other private registry | string |
Registry user id to pull images |
registry-password |
required to pull from other private registry | string |
Registry password or PAT to pull images |
image |
optional (*) | string |
Prefixed name of the image, directory or archive to operate on |
platform |
optional current platform by default | string |
Platform of the image to analyze (or the current platform) |
ref |
optional default is empty | string |
Reference to use if the provided tarball containers multiple images, only with archives |
(*) If image is not set (or empty) the most recently built image, if any, will be used instead.
The image field can be prefixed to indicate the type of content to analyse.
If no prefix is set, the image:// prefix is used.
Available prefixes:
image://: optional prefix, the target is an image that first will be resolved locally then, if not found, will be
resolved to the associated registrylocal://: only resolve the image from the local image storeregistry://: do not use the local image store, only use the registryoci-dir://: local directory to be read as an OCI directoryarchive://: image archive generated by docker save command, as a tar filefs://: local directory or filesbom:// SPDX file or in-toto attestation file with SPDX predicate or syft json SBOM fileNamespace of the Docker Organization is required to match the query with the right data.
When using environments (for instance to compare an image to the one from a defined environment, or when comparing to
the latest indexed) organization parameter is required.
organization |
required to compare to environments/latest indexed |
required to manage environments
optional in other cases, default empty | string | Namespace of the Docker organization |
By default the Markdown output of the command (if supported) will be displayed as a Job Summary. This can be disabled if needed.
summary |
optional default is true |
boolean |
Display output as Job Summary |
When triggered by a pull_request event, the output of the scout command can be written as a comment.
This behaviour is enabled by default.
By default one single comment per job step will be kept and updated at each run.
If you prefer to keep previous comments but hide them, set the keep-previous-comments parameter to true.
pull-requests: write permission is required to allow the GitHub action to create the comment.
github-token |
optional default is github.token |
string |
GitHub Token to create the comment |
write-comment |
optional default is true |
boolean |
Boolean, write a comment with scout output |
keep-previous-comments |
optional default is false |
boolean |
If set, keep but hide previous comment. If not set, keep and update one single comment per job |
The text version of the command output will be displayed in the logs. The markdown version (if exists) of the command output will be set as an output of the step, using the command name as identifier, and will be displayed as Pull Request comment or Step Summary.
compare Inputsto |
required | string |
Prefixed name of the image, directory or archive to compare with |
to-ref |
optional default is empty | string |
Reference to use if the provided tarball containers multiple images, only with archives |
See Prefix above about the available prefixes for the to argument.
to-env |
(*) | string |
Name of the environment to compare with |
to-stream |
deprecated (*) | string |
Name of the stream to compare with |
to-latest |
(*) | boolean |
Compare to latest indexed image |
(*) One and only one needs to be defined.
ignore-unchanged |
optional default is false |
boolean |
Filter out unchanged packages |
only-severities |
optional default is empty (all severities) | string |
Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
only-package-types |
optional default is empty (all types) | string |
Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
only-fixed |
optional default is false |
boolean |
Filter to fixable CVEs |
only-unfixed |
optional default is false |
boolean |
Filter to unfixed CVEs |
only-cisa-kev |
optional default is false |
boolean |
Filter to CVEs listed in the CISA Known Exploited Vulnerabilities catalog |
exit-code |
optional default is false |
boolean |
Return exit code 2 if vulnerability changes are detected |
exit-on |
optional default is empty | string |
"(compare only) Comma separated list of conditions to fail the action step if worsened, options are: vulnerability, policy" |
cves Inputsonly-severities |
optional default is empty (all severities) | string |
Comma separated list of severities (critical, high, medium, low, unspecified) to filter CVEs by |
only-package-types |
optional default is empty (all types) | string |
Comma separated list of package types (like apk, deb, rpm, npm, pypi, golang, etc) |
only-fixed |
optional default is false |
boolean |
Filter to fixable CVEs |
only-unfixed |
optional default is false |
boolean |
Filter to unfixed CVEs |
ignore-base |
optional default is false |
boolean |
Ignore base image vulnerabilities |
sarif-file |
optional default is empty (no output file) | string |
Write output to a SARIF file for further processing or upload into GitHub code scanning |
only-vex-affected |
optional default is false |
boolean |
Filter out CVEs that are marked not affected by a VEX statement |
vex-author |
optional default is empty | string |
List of VEX statement authors to accept |
vex-location |
optional default is empty | string |
File location of directory or file containing VEX statement |
ignore-suppressed |
optional default is false |
boolean |
Filter out CVEs affected by Scout suppressions |
sbom Inputs$ claude mcp add scout-action \
-- python -m otcore.mcp_server <graph>