Share feedback
Answers are generated based on the documentation.

Malware scanning

Table of contents

The Docker Hardened Image (DHI) pipeline scans for viruses and malware as part of the build process. The scan results are embedded as a signed attestation, which you can independently retrieve and verify.

How it works

Docker uses ClamAV, an open source antivirus engine, to scan every layer of each image. The scan runs automatically during the build process and checks all files in the image, including files inside archives, for known viruses and malware signatures.

The scan results are published as a signed attestation attached to the image. The attestation includes the full ClamAV scan report, including the number of files scanned, the virus signature database version, and whether any infected files were detected.

View the malware scan attestation

You can retrieve the malware scan attestation using the Docker Scout CLI.

  1. Use the docker scout attest get command with the virus scan predicate type:

    $ docker scout attest get \
  --predicate-type https://scout.docker.com/virus/v0.1 \
  --predicate \
  dhi.io/<image>:<tag>
    Note

    If the image exists locally on your device, you must prefix the image name with registry://. For example, use registry://dhi.io/python instead of dhi.io/python.

    For example:

    $ docker scout attest get \
  --predicate-type https://scout.docker.com/virus/v0.1 \
  --predicate \
  dhi.io/python:3.13

    The output is a JSON object containing the scanner used and the base64-encoded scan report:

    {
  "scanner": {
    "report": "<base64-encoded ClamAV report>",
    "uri": "clamav/clamav:stable"
  }
}

    Decoding the report shows the full ClamAV output, ending with a scan summary:

    ----------- SCAN SUMMARY -----------
Known viruses: 3627833
Engine version: 1.5.2
Scanned directories: 4
Scanned files: 21
Infected files: 0
Data scanned: 44.90 MiB
Data read: 23.88 MiB (ratio 1.88:1)
Time: 11.473 sec (0 m 11 s)
Start Date: 2026:04:12 02:36:19
End Date:   2026:04:12 02:36:30

  2. Verify the attestation signature. To ensure the attestation is authentic and signed by Docker, run:

    $ docker scout attest get \
  --predicate-type https://scout.docker.com/virus/v0.1 \
  --verify \
  dhi.io/<image>:<tag> --platform <platform>

    If the attestation is valid, Docker Scout confirms the signature and shows the matching cosign verify command.

To view other attestations, such as SBOMs or test results, see Verify an image.