MCP Server for Docker Scout - Container security scanning via Model Context Protocol.
Part of the ry-ops fabric ecosystem.
eagle-scout acts as a bridge between AI assistants and Docker Scout, translating natural language requests into security scans and returning structured results.
- CVE Scanning - Scan container images for vulnerabilities
- Quick Overview - Get instant security summaries
- Image Comparison - Diff two images for security changes
- SBOM Generation - Software Bill of Materials in SPDX/CycloneDX
- Recommendations - Base image update suggestions
- Policy Evaluation - Check images against security policies
- Attestations - Manage supply chain attestations
- VEX Management - Vulnerability Exploitability eXchange
- Environment Management - List and set Scout environments
- Cache Management - Manage local Scout cache
- Continuous Monitoring - Enable/disable Scout watch
eagle-scout ships a companion Docker Desktop extension that brings security scanning directly into the Docker Desktop UI — no CLI required.
Install the extension:
docker extension install ryops/eagle-scout-extension:latestThe extension provides:
- Image picker — select any local image from a dropdown
- One-click scan — Quickview, CVEs, and Recommendations all populate at once
- Quickview tab — vulnerability summary (critical/high/medium/low counts)
- CVEs tab — full vulnerability list with package details and fix versions
- Recommendations tab — base image update suggestions from Docker Scout, with a plain-language alert for images built without provenance attestations
Source: ry-ops/eagle-scout-extension
- Docker Desktop 4.17+ (includes Docker Scout)
- Or: Docker Engine + Docker Scout CLI plugin
docker extension install ryops/eagle-scout-extension:latestMulti-arch images are published for linux/amd64 and linux/arm64 — works natively on Intel and Apple Silicon.
docker pull ryops/eagle-scout:1.2.9Also available on GitHub Container Registry:
docker pull ghcr.io/ry-ops/eagle-scout:1.2.9go install github.com/ry-ops/eagle-scout/cmd/eagle-scout@latestDownload from Releases — available for Linux, macOS, and Windows (amd64/arm64).
Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"eagle-scout": {
"command": "docker",
"args": [
"run", "-i", "--rm",
"-v", "/var/run/docker.sock:/var/run/docker.sock",
"-v", "${HOME}/.docker/config.json:/root/.docker/config.json:ro",
"ryops/eagle-scout:1.2.9"
]
}
}
}claude mcp add eagle-scout --transport stdio -- docker run -i --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v ~/.docker/config.json:/root/.docker/config.json:ro \
ryops/eagle-scout:latest| Tool | Description |
|---|---|
scout_cves |
Scan image for CVEs with severity filtering |
scout_quickview |
Quick security overview of an image |
scout_compare |
Compare two images for security differences |
scout_sbom |
Generate SBOM (SPDX, CycloneDX, JSON) |
scout_recommendations |
Get base image update suggestions |
scout_policy |
Evaluate images against security policies |
scout_attestation |
Manage attestations on images |
scout_repo |
Enable/disable Scout on repositories |
scout_vex |
Manage VEX statements (add/list) |
scout_environment |
Manage environments (list/set) |
scout_cache |
Manage local cache (df/prune) |
scout_enroll |
Enroll organization with Docker Scout |
scout_watch |
Enable/disable continuous monitoring |
> Use scout_cves to scan ryops/aiana:latest for critical vulnerabilities
> Use scout_compare to see what changed between ryops/aiana:v1.0.0 and ryops/aiana:latest
> Use scout_sbom to generate a CycloneDX SBOM for my-app:latest
> Use scout_recommendations to see if there's a better base image for my-app:latest
eagle-scout ships a docker-compose.yml with Watchtower configured to pull the latest image nightly:
docker compose up -dWatchtower checks for updates every night at 3am and cleans up old images automatically.
All pushes to main run through security gates before publishing:
- Build & Test - Compile and run tests
- Security Scan - Docker Scout CVE scanning (blocks on critical/high CVEs)
- Policy Check - Non-root user, no secrets, minimal attack surface
- Multi-arch Verify - Validates linux/amd64 and linux/arm64 builds
On merge to main, multi-arch images are published to Docker Hub and GHCR with provenance=mode=max and SBOM attestations. Version tags (v*) trigger full releases with binaries for 5 platforms.
eagle-scout is part of the ry-ops fabric:
| Fabric | Language | Role |
|---|---|---|
| git-steer | TypeScript | GitHub repo management |
| aiana | Python | Semantic memory |
| n8n-fabric | Python | Workflow automation |
| eagle-scout | Go | Container security |
| eagle-scout-extension | Go + HTML | Docker Desktop UI |
# Clone
git clone https://github.com/ry-ops/eagle-scout
cd eagle-scout
# Build
go build -o eagle-scout ./cmd/eagle-scout
# Run
./eagle-scout
# Test
go test ./...MIT License - see LICENSE file.
Docker Hub: ryops/eagle-scout | GHCR: ghcr.io/ry-ops/eagle-scout | Extension: ryops/eagle-scout-extension
Version: 1.2.9