Skip to content

ExitCode 255 #213

Open
Open
ExitCode 255#213
@homersimpsons

Description

@homersimpsons
homersimpsons
opened on Jan 27, 2026

Describe the bug

An invocation of docker scout cves --exit-code --format sarif phpmyadmin/phpmyadmin:latest sometimes fails with ExitCode 255. This exit code is not documented:

  • https://docs.docker.com/scout/ does not mention it
  • Ask AI on the above page does not lead to relevant results (and is misinterpreting the --exit-code flag)
    • Me: What does exit code 255 mean for docker scout cves ?
    • AI: The knowledge base does not contain information about the meaning of exit code 255 for docker scout cves. There is documentation about the --exit-code option (which allows you to set a custom exit code if vulnerabilities are detected), but it does not specify what exit code 255 means or under what circumstances it is returned.
  • docker scout cves --help does not mention it
  • The tool is closed source and hence we cannot browse the source

To Reproduce

I do not have a way to reproduce this exit code 100% of the time. But every week I have a process that invokes docker scout cves that will sometimes fail. Here is the relevant log:

Command failed with exit code 255: docker scout cves --exit-code --format sarif 'phpmyadmin/phpmyadmin:latest'

    i Failed to connect to Docker Engine. Please make sure Docker Engine is running to access local images.
    ✓ SBOM of image already cached, 360 packages indexed
    ✗ Detected 28 vulnerable packages with a total of 115 vulnerabilities

The "Failed to connect to Docker Engine" could be relevant, but:

  1. The cache already allowed it to retrieve the list of vulnerabilities
  2. Another similar failure (with access denied) leads to exit code 1 right before:
Command failed with exit code 1: docker scout cves --exit-code --format sarif 'private.example.com:444/imagep/a/th'

    i Failed to connect to Docker Engine. Please make sure Docker Engine is running to access local images.
    ...Pulling
    ✗ Pull failed

ERROR   failed to get image private.example.com:444/imagep/a/th: failed to pull image private.example.com:444/imagep/a/th:latest: GET https://private.example.com/jwt/auth?scope=repository%3Aimagep%2Fa%2Fth%3Apull&service=container_registry: DENIED: access forbidden

Expected behavior

  1. Exit codes should be documented. Currently, only exit code 2 is documented.
  2. If the vulnerabilities can be resolved from cache maybe it could return this result? Or maybe there should exist a flag to allow returning the cached results?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions