{"id":50510320,"url":"https://github.com/OWASP/DockSec","last_synced_at":"2026-06-19T13:00:57.167Z","repository":{"id":277631874,"uuid":"933046325","full_name":"OWASP/DockSec","owner":"OWASP","description":"AI-powered Docker security scanner that explains vulnerabilities in plain English. An OWASP Incubator Project.","archived":false,"fork":false,"pushed_at":"2026-06-12T09:14:43.000Z","size":32159,"stargazers_count":425,"open_issues_count":14,"forks_count":77,"subscribers_count":5,"default_branch":"main","last_synced_at":"2026-06-12T09:18:00.216Z","etag":null,"topics":["ai-security","devsecops","docker-security","docksec","hadolint","owasp","python","trivy","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://owasp.org/DockSec/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"custom":"https://owasp.org/donate/?reponame=DockSec\u0026title=OWASP+DockSec"}},"created_at":"2025-02-15T02:49:30.000Z","updated_at":"2026-06-12T09:12:54.000Z","dependencies_parsed_at":"2026-05-22T04:04:53.911Z","dependency_job_id":null,"html_url":"https://github.com/OWASP/DockSec","commit_stats":null,"previous_names":["advaitpatel/docksec","owasp/docksec"],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/OWASP/DockSec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDockSec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDockSec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDockSec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDockSec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/DockSec/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2FDockSec/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34532260,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-19T02:00:06.005Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-security","devsecops","docker-security","docksec","hadolint","owasp","python","trivy","vulnerability-scanner"],"created_at":"2026-06-02T20:00:22.174Z","updated_at":"2026-06-19T13:00:57.154Z","avatar_url":"https://github.com/OWASP.png","language":"Python","funding_links":["https://owasp.org/donate/?reponame=DockSec\u0026title=OWASP+DockSec"],"categories":["Python"],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n[![OWASP](https://img.shields.io/badge/Lab-blue?\u0026label=level\u0026style=for-the-badge)](https://owasp.org/DockSec/) [![OWASP](https://img.shields.io/badge/Code-blue?label=type\u0026style=for-the-badge)](https://owasp.org/DockSec/) [![project-docksec](https://img.shields.io/badge/%23project--docksec-blue?label=slack\u0026logoColor=white\u0026style=for-the-badge)](https://owasp.slack.com/archives/C0APXGCUW7M) [![Build Status](https://img.shields.io/github/actions/workflow/status/OWASP/DockSec/python-app.yml?branch=main\u0026style=for-the-badge\u0026label=Build\u0026color=blue)](https://github.com/OWASP/DockSec/actions)\n\u003cbr\u003e[![OpenSSF Best Practices](https://img.shields.io/cii/level/12939?label=openssf%20best%20practices\u0026style=for-the-badge)](https://www.bestpractices.dev/projects/12939)\n\n\n[![License](https://img.shields.io/badge/license-MIT-blue?style=for-the-badge)](https://github.com/OWASP/DockSec/blob/main/LICENSE) [![Last Commit](https://img.shields.io/github/last-commit/OWASP/DockSec/main?color=blue\u0026style=for-the-badge\u0026label=Last%20commit)](https://github.com/OWASP/DockSec/commits/main/) [![Contributors](https://img.shields.io/github/contributors/OWASP/DockSec?style=for-the-badge\u0026label=Contributors\u0026color=blue)](https://github.com/OWASP/DockSec/graphs/contributors)\n\n[![Forks](https://img.shields.io/github/forks/OWASP/DockSec?style=for-the-badge\u0026label=Forks\u0026color=blue)](https://github.com/OWASP/DockSec/network/members) [![Stars](https://img.shields.io/github/stars/OWASP/DockSec?style=for-the-badge\u0026label=Stars\u0026color=blue)](https://github.com/OWASP/DockSec/stargazers) ![PyPI Downloads](https://img.shields.io/pepy/dt/docksec?style=for-the-badge\u0026color=blue)\n\n[![Issues](https://img.shields.io/github/issues/OWASP/DockSec?color=blue\u0026style=for-the-badge\u0026label=Issues)](https://github.com/OWASP/DockSec/issues) [![Pull Requests](https://img.shields.io/github/issues-pr/OWASP/DockSec?color=blue\u0026style=for-the-badge\u0026label=Pull%20Requests)](https://github.com/OWASP/DockSec/pulls)\n\n[![CREATED](https://img.shields.io/badge/created-feb,%202025-blue?style=for-the-badge)](https://github.com/OWASP/DockSec/commit/80664db8935e4b5ab44df5867913e)\n\n\u003cpicture\u003e\n  \u003csource srcset=\"https://raw.githubusercontent.com/OWASP/DockSec/main/images/docksec-logo-for-github.png\" media=\"(prefers-color-scheme: dark)\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/OWASP/DockSec/main/images/docksec-logo-for-github.png\" alt=\"DockSec Logo\" width=\"600\"\u003e\n\u003c/picture\u003e\u003cbr\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/OWASP/DockSec/main/images/owasp-logo.png\" alt=\"OWASP Logo\" width=\"300\"\u003e\n\n# [DockSec](https://owasp.org/DockSec/)\n\n**AI-powered Docker security scanner that explains vulnerabilities in plain English**\n\n\u003c/div\u003e\n\n---\n\n## What is DockSec?\n\nDockSec is an **OWASP Lab Project** that bridges the gap between complex security scan results and actionable developer fixes. It integrates industry-standard scanners (Trivy, Hadolint, Docker Scout) with advanced AI to provide **context-aware security analysis**. \n\nInstead of overwhelming you with a list of 200+ CVEs, DockSec:\n\n- **Prioritizes** what actually affects your specific container setup.\n- **Explains** vulnerabilities in plain English, not just security jargon.\n- **Suggests** specific, line-by-line fixes for your Dockerfile.\n- **Generates** professional, interactive security reports for your team.\n\nThink of it as having a security expert sitting right next to you, reviewing your Dockerfiles in real-time.\n\n---\n\n## How It Works\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/OWASP/DockSec/main/images/workflow.png\" alt=\"DockSec Workflow\" width=\"800\"\u003e\n  \u003cp\u003e\u003cem\u003eDockSec workflow: From scanning to actionable insights\u003c/em\u003e\u003c/p\u003e\n\u003c/div\u003e\n\nDockSec follows a robust four-stage pipeline:\n1. **Scan**: Runs Trivy, Hadolint, and Docker Scout locally on your environment.\n2. **Analyze**: AI correlates findings across all scanners to remove noise and assess real-world impact.\n3. **Recommend**: Generates human-readable explanations and specific remediation steps.\n4. **Report**: Exports actionable results in JSON, PDF, HTML, or Markdown formats.\n\n---\n\n## Leaders\n\nDockSec is led by a dedicated team committed to making container security accessible.\n\n- [Advait Patel](https://github.com/advaitpatel) - Project Lead\n- [Arkadii Yakovets](https://github.com/arkid15r) - Project Co-lead \n\nFor questions or discussions, please join the [#project-docksec](https://owasp.slack.com/archives/C0APXGCUW7M) channel on OWASP Slack.\n\n---\n\n## Quick Start\n\n### GitHub Action\n\nIntegrate DockSec into your GitHub Actions workflow:\n\n```yaml\n- name: Run DockSec AI Scanner\n  uses: OWASP/DockSec@main\n  with:\n    dockerfile: 'Dockerfile'\n    openai_api_key: ${{ secrets.OPENAI_API_KEY }}\n```\n\n### CLI Usage\n\n```bash\n# Install DockSec\npip install docksec\n\n# Scan a Dockerfile (AI-powered)\n# Reports will be saved to ~/.docksec/results/\ndocksec Dockerfile\n\n# Scan Dockerfile + Docker image\ndocksec Dockerfile -i myapp:latest\n\n# Scan a Docker Compose file and all its services\ndocksec --compose docker-compose.yml\n\n# Scan only a Docker image\ndocksec --image-only -i myapp:latest\n\n# Fast scan only (no AI)\ndocksec Dockerfile --scan-only\n```\n\n---\n\n## Features\n\n- **Smart Analysis**: AI explains what vulnerabilities mean for *your* specific setup.\n- **Multi-LLM Support**: Use OpenAI, Anthropic Claude (4.x), Google Gemini (1.5+), or local models via Ollama.\n- **Docker Compose Scanning**: Detect orchestration-level misconfigurations and scan all services in a compose file.\n- **Deep Integration**: Combines Trivy (vulnerabilities), Hadolint (linting), and Docker Scout.\n- **Security Scoring**: Get a 0-100 score to track your security posture over time.\n- **Centralized Reporting**: All reports are neatly organized in `~/.docksec/results/` by default.\n- **Rich Formats**: Professional exports in HTML (interactive), PDF, JSON, and CSV.\n- **CI/CD Ready**: Designed for easy integration into GitHub Actions and build pipelines.\n- **GitHub Action**: Available on the GitHub Marketplace for automated security scans.\n\n---\n\n## How DockSec Compares\n\nHere is a comparison of how DockSec relates to other container security tools.\n\n| Capability | DockSec | Trivy (standalone) | Snyk Container | Aikido |\n|---|---|---|---|---|\n| License and cost | Free, open source (MIT) | Free, open source (Apache 2.0) | Commercial (limited free tier) | Commercial (limited free tier) |\n| Governance | OWASP Lab Project, vendor neutral | Open source, maintained by Aqua | Single vendor | Single vendor |\n| Detects CVEs and Dockerfile misconfigurations | Yes | Yes | Yes | Yes |\n| Contextual, line level Dockerfile remediation | Yes (line specific rewrites with explanation) | No (detection only) | Yes (base image upgrade advice, fix PRs) | Yes (AI AutoFix PRs) |\n| Runs fully offline / air gapped | Yes (local LLM via Ollama, scan only mode, no API key) | Yes for scanning (no remediation layer) | No (cloud platform) | No (hosted platform) |\n| Your image data stays on your network | Yes | Yes | No | No |\n| Bring your own LLM / model choice | Yes (OpenAI, Anthropic, Gemini, or local Ollama) | Not applicable | No (proprietary AI) | No (proprietary AI) |\n| Self hostable, no platform deployment | Yes | Yes | No | No |\n| Vendor lock in | None | None | Yes | Yes |\n| Security score (0 to 100) and multi format reports (HTML, PDF, JSON, CSV, Markdown) | Yes | Partial (machine formats, no remediation report) | Partial (dashboard reports) | Partial (dashboard reports) |\n\nDockSec is the only one of these that pairs contextual, line level Dockerfile remediation with a fully open source, OWASP governed, locally runnable design. Snyk and Aikido offer capable AI remediation, but only as commercial cloud platforms that send your data to their service. Trivy is open source and local but stops at detection and does not help you fix anything. DockSec fills the gap for developers and for regulated or air gapped teams who need both the fix guidance and full control of their data, at no cost.\n\n---\n\n## Contributing\n\nDockSec thrives on community contributions. Whether you are a developer, designer, or security enthusiast, there are many ways to get involved:\n\n- **Code Contributions**: Fix bugs or add new features.\n- **Documentation**: Improve guides or create tutorials.\n- **Issue Reporting**: Identify and report bugs.\n- **Feedback**: Share your experience and suggestions.\n\nTo get started, check out our [Contributing Guidelines](CONTRIBUTING.md), [Code of Conduct](CODE_OF_CONDUCT.md), and [Sponsorship Guide](SPONSORSHIP.md).\n\n---\n\n## Community and Social Media\n\n- **OWASP Project Page**: [owasp.org/DockSec/](https://owasp.org/DockSec/)\n- **OWASP Slack**: [#project-docksec](https://owasp.slack.com/archives/C0APXGCUW7M)\n- **PyPI**: [pypi.org/project/docksec/](https://pypi.org/project/docksec/)\n- **Issues**: [Report a bug](https://github.com/OWASP/DockSec/issues)\n\n---\n\n\u003cdiv align=\"center\"\u003e\n  \u003cstrong\u003eIf DockSec helps you, give it a ⭐ to help others discover it!\u003c/strong\u003e\u003cbr\u003e\n  Built with ❤️ by \u003ca href=\"https://github.com/advaitpatel\"\u003eAdvait Patel\u003c/a\u003e and the OWASP community.\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FDockSec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FOWASP%2FDockSec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FOWASP%2FDockSec/lists"}