docker scout policy

July 2, 2026 ยท View on GitHub

Evaluate local Rego policies against an image and display the results (experimental)

Subcommands

NameDescription
publishPackage local Rego policies into an OCI bundle and push it to a registry (experimental)

Options

NameTypeDefaultDescription
-e, --exit-codeReturn exit code '2' if policies are not met, '0' otherwise
--only-policystringSliceComma separated list of policies to evaluate
--orgstringNamespace of the Docker organization
-o, --outputstringWrite the report to a file
--platformstringPlatform of image to evaluate policies against
--policy-bundlestringArrayOCI reference of a policy bundle to evaluate (repeatable)
--policy-configstringPath or http(s) URL to a JSON file configuring policy enablement and inputs
--policy-dirstringArrayPath to a directory of local .rego policy files (repeatable)
--policy-filestringArrayPath or http(s) URL to a .rego policy file (repeatable)
--result-filestringWrite the full Rego evaluation result (pass, violations, query bindings and OPA metrics) of each evaluated policy to a JSON file (useful when iterating on local --policy-file policies)

Description

The docker scout policy command evaluates policies against an image. The image analysis is uploaded to Docker Scout where policies get evaluated.

The policy evaluation results may take a few minutes to become available.

Examples

Evaluate policies against an image and display the results

$ docker scout policy dockerscoutpolicy/customers-api-service:0.0.1

Evaluate policies against an image for a specific organization

$ docker scout policy dockerscoutpolicy/customers-api-service:0.0.1 --org dockerscoutpolicy

Evaluate policies against an image with a specific platform

$ docker scout policy dockerscoutpolicy/customers-api-service:0.0.1 --platform linux/amd64

Compare policy results for a repository in a specific environment

$ docker scout policy dockerscoutpolicy/customers-api-service --to-env production