Ingest Docker Scout vulnerability findings and scan events

  • Latest Dynatrace
  • Extension
  • Published Apr 02, 2026

This page aligns with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

Ingest Docker Scout vulnerability findings and scan events into Dynatrace as security events.

Get started

Overview

Dynatrace integration with Docker Scout allows teams to unify and contextualize vulnerability findings from container images hosted on Docker Hub, enabling centralized prioritization, visualization, and automation of security findings.

Docker Scout scans container images on Docker Hub and reports vulnerability findings and software bill of materials (SBOM) data.

Dynatrace observes the runtime entities that use those images. Ingesting and enriching Docker Scout findings with runtime context helps teams focus on high-impact vulnerabilities that affect production applications.

Use cases

With the ingested data, you can accomplish various use cases, such as

Requirements

See below for the Docker Scout and Dynatrace requirements.

Docker Scout requirements

  • Optional Activate Docker Scout on the Docker Hub repositories you want to monitor.

    When enabled, Docker Scout automatically scans newly pushed images and updates results when vulnerability data changes. Docker Scout doesn't expose this trigger behavior through API endpoints, so Dynatrace integration triggers scans via Docker CLI on ActiveGate.

Dynatrace requirements

  • ActiveGate version 1.310+ that needs to be able to

    • Run Extensions 2.0 framework
    • Reach Docker Hub endpoints

  • Deploy and configure Docker and Docker Scout CLI on ActiveGate:

    1. Install Docker Engine/CLI on the ActiveGate host so the docker command is available.

    2. Create a dedicated home directory for the ActiveGate user:

      mkdir -p /home/dtuserag

    3. Assign ownership to the ActiveGate user:

      chown dtuserag:dtuserag /home/dtuserag

    4. Switch to the ActiveGate user and open a shell:

      sudo -u dtuserag -s

    5. Set HOME to the writable directory:

      export HOME=/home/dtuserag

    6. Install Docker Scout CLI in the ActiveGate user home (this adds the docker scout functionality):

      HOME=/home/dtuserag curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh

  • Permissions: For a list of permissions required, go to Hub, select Extensions Extensions, and display Technical information.

  • Generate an access token with the openpipeline.events_security scope and save it for later. For details, see Dynatrace API - Tokens and authentication.

Activation and setup

  1. In Dynatrace, search for Docker Scout and select Install.

  2. Follow the on-screen instructions to configure the extension.

  3. Verify configuration by running the following queries in Notebooks Notebooks:

    • For finding events:

      fetch security.events
      | filter dt.system.bucket == "default_securityevents"
      | filter event.provider == "Docker Scout"
          AND event.type == "VULNERABILITY_FINDING"

    • For scan events:

      fetch security.events
      | filter dt.system.bucket == "default_securityevents"
      | filter event.provider == "Docker Scout"
          AND event.type == "VULNERABILITY_SCAN"

  4. Once the extension is installed and working, you can access and manage it in Dynatrace via Extensions Extensions. For details, see About Extensions.

Details

How it works

docker scout integration
docker scout integration

Dynatrace integration with Docker Scout is an extension running on Dynatrace ActiveGate. Once you enable and configure the extension:

  1. It periodically discovers new container images from the configured Docker Hub organization and repository scope using a dedicated API.
  2. It triggers scans for new or relevant images by using Docker Scout CLI.
  3. The fetched data is ingested into Dynatrace and mapped to the Dynatrace Semantic Dictionary.
  4. Data is stored in a default bucket called default_securityevents (for details, see Built-in Grail buckets).

Licensing and cost

For billing information, see Events powered by Grail.

FAQ

Which data model is used for security events coming from Docker Scout integration?

Which Docker Scout findings are imported into Dynatrace?

  • Docker Scout CVE and SBOM data are reported as findings for discovered Docker Hub images based on the organization and repository selection in extension configuration.

  • On the first ingest run, the integration discovers and ingests findings for Docker Hub images based on your organization and repository selection.

  • If the extension is configured to ingest data at an interval of n hours, each run scans for new container images pushed within the last n hours, scans them for vulnerabilities, and ingests the new findings into Dynatrace.

  • If no new or updated findings are detected, no findings are ingested.

Which extension fields are added to the core fields of events ingested from Docker Scout?

The container_image namespace is added for container image-related information with the following fields:

  • container_image.digest represents the container image digest; this value can be used to match runtime containers.
  • container_image.repository represents the container repository name.
  • container_image.registry represents the container registry name.
  • container_image.tags represents the tags associated with a container image in a repository.

What Docker Scout asset types are supported by Dynatrace for runtime contextualization?

CONTAINER_IMAGE: Findings from Docker Scout are generated by vulnerability assessments of container images and are mapped with CONTAINER_IMAGE in object.type. The container_image namespace is added, and container_image.digest is used to match ingested findings to runtime containers monitored by Dynatrace. container_image.digest attribute is being used to match the ingested security findings to runtime containers monitored by Dynatrace.

How is risk score normalized for Docker Scout findings?

Dynatrace normalizes severity and risk scores for all findings ingested through this integration. This helps you prioritize findings consistently, regardless of their source. For details, see Severity and score normalization.

dt.security.risk.score (mapped from finding.score)dt.security.risk.level (mapped from dt.security.risk.score)
9.0-10.0CRITICAL
7.0-8.9HIGH
4.0-6.9MEDIUM
0.1-3.9LOW
Related tags
Threat Observability