Policy Evaluation
Policy Evaluation in Docker Scout lets you define supply chain rules for your
artifacts and evaluate compliance using the docker scout policy command. Run
evaluations locally, in CI pipelines, with custom Rego policies, or using OCI
bundles. See Evaluate policies.
How Policy Evaluation works
When you run docker scout policy, the CLI indexes the image into an SBOM and
enriches it with CVE and VEX data. It then evaluates each configured policy
in-process against that data. No data is sent to the Scout service, and an
organization is not required for most use cases.
A policy defines image quality criteria your artifacts should meet. For example, the No copyleft licenses policy flags any image containing packages distributed under a copyleft license. If an image contains such a package, it's non-compliant with that policy.
Policy types
Docker Scout includes the following built-in policy types:
- Severity-Based Vulnerability
- Compliant Licenses
- Up-to-Date Base Images
- High-Profile Vulnerabilities
- Supply Chain Attestations
- Default Non-Root User
- Approved Base Images
For configuration options for each policy type, see Evaluate policies.
Severity-Based Vulnerability
The Severity-Based Vulnerability policy type checks whether your artifacts are exposed to known vulnerabilities. By default, it flags critical and high severity vulnerabilities where a fix version is available.
Configurable parameters include severity levels, a grace period for newly disclosed CVEs, fixable-only filtering, and package type filtering.
Compliant Licenses
The Compliant Licenses policy type checks whether your images contain packages distributed under an inappropriate license. You can configure the list of licenses to flag and add package-level exceptions.
Up-to-Date Base Images
The Up-to-Date Base Images policy type checks whether the base images you use are current. Images are non-compliant if the tag you built from points to a different digest than what you're using.
Your images need provenance attestations for this policy to evaluate successfully. For more information, see No base image data.
High-Profile Vulnerabilities
The High-Profile Vulnerabilities policy type checks whether your images contain vulnerabilities from a curated list of widely recognized, high-impact CVEs, including Log4Shell, Spring4Shell, and XZ backdoor. The list is updated as new high-profile vulnerabilities are disclosed.
You can configure which CVEs are considered high-profile and enable tracking of CISA's Known Exploited Vulnerabilities catalog.
Supply Chain Attestations
The Supply Chain Attestations policy type checks whether your images have SBOM and provenance attestations. Images are non-compliant if they lack either attestation type.
To ensure compliance, build with attestations:
$ docker buildx build --provenance=true --sbom=true -t <IMAGE> --push .
Default Non-Root User
The Default Non-Root User policy type detects images configured to run as
the root user. Use the
USER Dockerfile instruction to set a
non-root default user for the runtime stage.
Approved Base Images
The Approved Base Images policy type ensures the base images you use match a configurable allowlist of glob patterns. Images are non-compliant if the base image reference doesn't match any of the allowed patterns.
Your images need provenance attestations for this policy to evaluate successfully. For more information, see No base image data.
No base image data
The Up-to-Date Base Images and Approved Base Images policies require provenance attestations to determine the base image used in your build. Without them, these policies report No data.
To ensure Docker Scout always has base image information, attach provenance attestations at build time:
$ docker buildx build --provenance=true -t <IMAGE> --push .
Policies page in the Dashboard
ImportantThe
docker scout policycommand brings policy evaluation directly to your CLI so you can evaluate any image locally, in CI, or with custom policies without needing the Dashboard. The Policies page in the Dashboard is deprecated and will be retired on September 1, 2026. See Evaluate policies.
The Docker Scout Dashboard previously provided a visual interface for tracking policy compliance across your organization's images. See Use the Policies page in the Dashboard.