Docker scout
health scores

Back in 2024, I was working at Docker when I was assigned to design the Health scores feature. Health scores are A–F ratings applied to container images, giving developers an at-a-glance sense of whether an image they’re pulling from a registry is “healthy” - following best practices, avoiding vulnerable packages, and so on.

→ We already had a security product (Docker Scout) and a container registry (Docker Hub); so now we needed to connect the dots and surface meaningful security insights directly inside repositories.

→ Since Hub was one of Docker’s flagship products, bringing security insights into the experience was a natural next step is helping raise awareness of Docker Scout while positioning Docker as a trusted security advisor.

A PLG initiative

The goal of this initiative was to raise awareness of Docker Scout by surfacing security insights directly within the registry and guiding users to the security tool for deeper investigation and remediation. Once a user successfully remediated their first container image, we considered them onboarded.

  • Kevin, a developer, navigates to the list of repositories in his organization and notices that some of them have earned a green badge, while others seem to have issues.

  • Curious, Kevin clicks [View on Scout] and is redirected to Docker Scout, where his container image is analyzed and detailed insights are provided.

  • He reviews the security findings and patches a critical vulnerability. Once fixed, the repository’s Health Score updates immediately - showing Kevin the impact of his remediation work in real time.

beta

We needed to introduce the scores as quickly as possible, which meant making some trade-offs in the UX.
In this first iteration, we shortened the journey to surfacing the health scores and then simply direct users to our documentation and measure their level of interest.

As a Developer visiting the Docker Hub UI, I need to understand the criteria used calculate health scores, so I can learn about the specific standards and best practices recommended by Docker.

As a Security engineer, I want to view the health scores for all repositories in my organization, so I can get a sense of our overall security posture and follow up with development teams as needed.

The illustrated user flow tells the story of Kevin, a software developer, who visits Docker Hub and discovers that his repository has been assigned a negative health score. This prompts him to start investigating the issue - first by learning what Health Scores are and how they’re calculated.

insights

The Beta release only surfaced the health scores within Docker Hub and redirected users to our documentation to learn more. In the docs, we embedded a Hotjar survey asking a few simple questions - about their role, their expectations for health scores, and whether they’d be willing to participate in user research to help us shape a feature that truly met their needs.

In parallel, we launched a Maze survey and invited Docker design partners to complete a series of questions and carefully crafted tasks. This helped us confirm that users could easily identify and understand the health scores, and it also allowed us to validate which security checks were most relevant and meaningful for their organizations.

EARLY ACCESS

Building on the insights gathered from the Beta release, we moved forward with the Early Access version. Instead of sending users to documentation, we redirected them to Docker Scout - a dedicated security tool where they could explore deeper insights, review the applied policies, inspect image layers, and understand security findings specific to the container image they were viewing.

As a Developer looking to improve my software supply chain security, I want to understand the vulnerabilities in my image at a more granular level and identify the steps I can take to remediate them, so that I can avoid a security incident.

As a Security engineer, I want to view the health scores for all repositories in my organization, so I can get a sense of our overall security posture and follow up with development teams as needed.

use cases

A Figma playground can quickly become overwhelming, with too many arrows trying to guide the reader through the narrative.
That’s why I prefer delivering a slide deck - it makes the story easier to follow,and guiding the audience.

ONBOARDING

I’ll spotlight the onboarding screens we designed for developers whose organizations were new to Docker Scout. We intentionally introduced a brief “analyzing” state, creating a short wait that allowed us to walk users through three concise onboarding slides. These slides explained the security product at a high level, helping reduce confusion when landing in a new interface and encountering a new product within the Docker ecosystem.

Docker ecosystem

Our mission was always to meet developers where they already were - and they were spending their time in Docker Desktop. Surfacing health scores directly within Docker Desktop was the natural next step, creating an additional entry point to both health scores and our security tooling.

Health scores gradually made their way into Docker’s flagship product - Docker Desktop.
It took several iterations for the team to validate impact, measure user engagement and interest, and refine a health metric that truly mattered and delivered meaningful additional value.

Conclusion

In addition to making complex secure supply chain insights easier to understand, Health Scores introduced an element of gamification. Even within Docker’s own teams, we observed developers becoming more motivated to improve the container images they owned. The clear, quantifiable A–F metric encouraged proactive behavior, with developers taking initiative to raise their scores through targeted improvements. Over time, this fostered a culture of continuous improvement, where teams were self-motivated to prioritize remediation and updates - ultimately strengthening the security and compliance of Docker’s own image portfolio.