dockguard vs Trivy vs Docker Scout: Compose Security Scanners Compared
dockguard, Trivy, and Docker Scout all get called "Docker security scanners." They scan different things. Picking the wrong one means you're checking for threats that aren't the ones you have.
They solve different problems
| dockguard | Trivy | Docker Scout | |
|---|---|---|---|
| What it scans | Docker Compose YAML config | Container images (+ IaC, repos) | Container images |
| What it finds | Misconfigurations: privileged mode, exposed ports, missing caps, plaintext secrets | CVEs in OS packages and application dependencies | CVEs + license compliance |
| Fix generation | Yes — outputs hardened Compose file | No (report only) | No (report only) |
| Scope | Compose-specific | Broad (images, filesystems, git repos, Kubernetes) | Docker-ecosystem focused |
| Cost | Free, open source | Free, open source | Free tier, paid plans for teams |
| Install | Single binary | Single binary | Docker Desktop plugin or CLI |
The short version: dockguard checks how your containers are configured. Trivy and Docker Scout check what's inside them. Both matter. They're complementary, not competing.
What dockguard catches that image scanners miss
Image scanners look inside the container — which packages are installed, whether any have known CVEs. They don't look at the Compose file that launches the container.
These are all invisible to Trivy and Docker Scout:
privileged: trueon a container that doesn't need it- Ports bound to
0.0.0.0instead of127.0.0.1 - No
cap_drop— containers running with Docker's default capability set - No
security_opt: [no-new-privileges:true] - No memory or CPU limits
- No network segmentation between services
- Plaintext passwords in
environment:blocks
A container image can have zero CVEs and still run with full host access because the Compose file says privileged: true. Image scanning alone gives you a false sense of security.
# dockguard catches config issues
dockguard docker-compose.yml
# Trivy catches image vulnerabilities
trivy image postgres:16
What Trivy and Docker Scout catch that dockguard misses
dockguard doesn't look inside images. It doesn't know if your Postgres image has an unpatched OpenSSL vulnerability or if your Node.js app bundles a dependency with a known RCE.
That's what image scanners are for. Trivy is the most popular open-source option — it scans images, filesystems, git repos, and Kubernetes manifests. Docker Scout is Docker's built-in option, integrated into Docker Desktop and the CLI.
Both maintain CVE databases and flag packages with known vulnerabilities. Trivy covers a wider range of targets. Docker Scout integrates more tightly with Docker Hub and Docker Desktop.
Which to use
You need dockguard if you're deploying Docker Compose stacks (especially from GitHub READMEs) and want to harden the configuration. This is the most common gap for self-hosters — the image is fine, the Compose config is wide open.
You need an image scanner if you're building custom images or running images that might have unpatched dependencies. Trivy is free and covers the most ground. Docker Scout is convenient if you're already in the Docker ecosystem.
For a complete setup, use both:
# 1. Scan and harden the Compose configuration
dockguard docker-compose.yml --fix
# 2. Scan each image for CVEs
trivy image postgres:16
trivy image nginx:alpine
trivy image your-custom-app:latest
Step 1 catches the misconfiguration layer. Step 2 catches the vulnerability layer. Skipping either leaves a gap.
For the full Compose hardening guide, see Docker Compose Security: The Complete Guide.
→ dockguard — Docker Compose security scanner. Free and open source.