Web services are becoming the critical components of business application, but they are often invoked with critical software and application bugs that can be explored by malicious users. Because the existing centralized vulnerability scanning systems often face performance bottleneck because of huge amount of tasks, a novel service vulnerability scanning scheme is high desirable. In this paper, we propose a service vulnerability scanning scheme based on service-oriented architecture (SoA) in Web service environments. The scanning scheme contains three components, i.e., domain-oriented distributed architecture, service providing mode based on SoA and hierarchical strategy scheduling model. The hierarchical strategy scheduling model is the key of the scanning scheme, which is used to solve the problems of distributed scheduling management in vulnerability scanning process for Web service environments. We conduct a centralized scanner to compare our scheme with other schemes by the implement of prototype system. Experimental results show that our proposed scheme outperforms other schemes with respect to time cost, accuracy and load.