{"id":47754382,"url":"https://github.com/kariemoorman/dockeraudit","last_synced_at":"2026-04-20T02:16:01.105Z","repository":{"id":343389115,"uuid":"1176102862","full_name":"kariemoorman/dockeraudit","owner":"kariemoorman","description":"A container security auditing toolkit, with trivy and snyk CVE scanning integration","archived":false,"fork":false,"pushed_at":"2026-03-26T01:59:21.000Z","size":118,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-26T23:40:54.700Z","etag":null,"topics":["container-security","docker","docker-security","k8s"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kariemoorman.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-08T16:12:43.000Z","updated_at":"2026-03-26T01:59:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kariemoorman/dockeraudit","commit_stats":null,"previous_names":["kariemoorman/dockeraudit"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/kariemoorman/dockeraudit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kariemoorman%2Fdockeraudit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kariemoorman%2Fdockeraudit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kariemoorman%2Fdockeraudit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kariemoorman%2Fdockeraudit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kariemoorman","download_url":"https://codeload.github.com/kariemoorman/dockeraudit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kariemoorman%2Fdockeraudit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31333229,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T03:20:36.090Z","status":"ssl_error","status_checked_at":"2026-04-03T03:20:35.133Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-security","docker","docker-security","k8s"],"created_at":"2026-04-03T04:02:10.149Z","updated_at":"2026-04-20T02:16:01.098Z","avatar_url":"https://github.com/kariemoorman.png","language":"Go","readme":"\n\u003cp align='center'\u003e\u003cimg src='assets/dockeraudit.png' width='20%'\u003e\u003c/p\u003e\n\n\u003ch1 align=center\u003e\u003cb\u003edockeraudit\u003c/b\u003e\u003c/h1\u003e\u003cp align=center\u003eA CONTAINER SECURITY AUDITING TOOLKIT\u003c/p\u003e\n\n\u003cp align=center\u003eAligned to CIS Docker Benchmark v1.8+, NIST SP 800-190, and DoDI 8510.01 RMF controls.\u003c/p\u003e\n\n## Badges\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/kariemoorman/dockeraudit/LICENSE\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/License-BSL-blue.svg\" alt=\"License\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/kariemoorman/dockeraudit/releases\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/v/release/kariemoorman/dockeraudit?cacheSeconds=300\" alt=\"Release\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/kariemoorman/dockeraudit/actions/workflows/ci.yml/badge.svg\"\u003e\n    \u003cimg src=\"https://github.com/kariemoorman/dockeraudit/actions/workflows/ci.yml/badge.svg\" alt=\"Tests\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/kariemoorman/dockeraudit/actions/workflows/security.yml/badge.svg\"\u003e\n    \u003cimg src=\"https://github.com/kariemoorman/dockeraudit/actions/workflows/security.yml/badge.svg\" alt=\"Security\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n## Table of Contents \n- [Features](#features)\n- [Installation](#installation)\n- [Quick Start](#quick-start)\n- [Examples](#examples)\n- [Usage](#usage)\n- [Configuration File](#configuration-file)\n- [CI/CD Integration](#cicd-integration)\n- [Shell Completion](#shell-completion)\n- [Security Controls](#security-controls)\n- [License](#license)\n\n\n## Features\n\n**80+ Security Controls**: \n  - Includes security controls across 12 domains with compliance mappings to CIS, NIST 800-53, NIST 800-190, ISO 27001, SOC 2, and DISA CCI.\n\n**Docker Scanning**: \n  - Audits Images, Dockerfiles, \u0026 Docker Compose configurations for misconfigurations, secrets, and other security vulnerabilities.\n\n**Kubernetes Manifest Scanning**:\n  - Audits k8s manifests and helm charts for misconfigurations, secrets, and other security vulnerabilities.\n\n**Terraform Configuration Scanning**:\n  - Audits terraform files for misconfigurations, secrets, and other security vulnerabilities, including cloud resources (e.g., AWS: ECR, EKS, S3, ECS, RDS, ElastiCache, DynamoDB).\n\n**Secrets Detection**: \n  - 76+ regex patterns with confidence scoring and false-positive suppression.\n\n**Vulnerability Detection**:\n  - Uses Trivy and Snyk for CVE scanning via `--scanner` flag.\n\n**Auto-Saved Reports**: \n  - Each scan writes a timestamped copy to `scans/` for audit trails.\n  - 5 output formats - table (TXT), JSON, Markdown, SARIF (GitHub Security), JUnit (CI/CD).\n\n**CI/CD Ready**: \n  - Configurable exit codes with `--fail-on` threshold, SARIF upload to GitHub Security tab.\n\n\n## Installation\n\n### From Source\n\nRequires **Go 1.25+**.\n\n```bash\ngit clone https://github.com/kariemoorman/dockeraudit.git\ncd dockeraudit\nmake build\n```\n\n### Go Install\n\n```bash\ngo install github.com/kariemoorman/dockeraudit/cmd/dockeraudit@latest\n```\n\n*Note: ensure Go binary directory is on your PATH, then reload your shell config file:*\n```bash\nexport PATH=$PATH:$HOME/go/bin\nor \nexport PATH=$PATH:$(go env GOPATH)/bin\n\nsource ~/.bashrc\nor \nsource ~/.zshrc\n```\n\n\n### Verify Installation\n```bash\ndockeraudit --version\n```\n\n## Quick Start\n\n```bash\n# Scan a Docker image\ndockeraudit image nginx:latest\n\n# Scan Dockerfiles and Compose files\ndockeraudit docker Dockerfile docker-compose.yml --scanner trivy\n\n# Scan Kubernetes manifests\ndockeraudit k8s ./manifests/\n\n# Scan a Helm chart (rendered via `helm template` before scanning)\ndockeraudit k8s ./helm_chart/\n\n# Scan Terraform files\ndockeraudit terraform ./infrastructure/\n\n# Scan everything in one pass\ndockeraudit scan \\\n  --images nginx:latest \\\n  --docker ./ \\\n  --k8s ./k8s/ \\\n  --tf ./terraform/ \\\n  --format markdown\n```\n\n## Examples \n\n### Docker \n\n\u003cp align='center'\u003e\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/dockerfile.png' alt='dockerfile' width='80%'\u003e\u003c/p\u003e\n\n### Image \n\n\u003cp align='center'\u003e\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/dockerimage.png' alt='dockerfile' width='80%'\u003e\u003c/p\u003e\n\n### k8s \n\n\u003cp align='center'\u003e\n\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/k8s_1.png' alt='dockerfile' width='80%'\u003e\n\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/k8s_2.png' alt='dockerfile' width='80%'\u003e\n\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/k8s_3.png' alt='dockerfile' width='80%'\u003e\n\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/k8s_4.png' alt='dockerfile' width='80%'\u003e\u003c/p\u003e\n\n### Terraform\n\n\u003cp align='center'\u003e\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/terraform_1.png' alt='dockerfile' width='80%'\u003e\n\u003cimg src='https://github.com/kariemoorman/kariemoorman.github.io/blob/master/media/images/dockeraudit/terraform_2.png' alt='dockerfile' width='80%'\u003e\u003c/p\u003e\n\n## Usage\n\n### Scan Modes\n\n| Mode | Description |\n|---------|-------------|\n| `scan` | Run all applicable scanners in a single pass |\n| `image` | Scan Docker images for hardening issues |\n| `docker` | Scan Dockerfiles and Docker Compose files |\n| `k8s` | Scan Kubernetes manifests for security misconfigurations |\n| `terraform` | Scan Terraform files for container security issues |\n| `report controls` | List all hardening controls with compliance mappings |\n| `completion` | Generate shell completion scripts (bash/zsh/fish/powershell) |\n\n\n### Command Flags \n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ccode\u003escan\u003c/code\u003e Mode\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n```bash\ndockeraudit scan [flags]\n```\n\n\u003cb\u003eExamples\u003c/b\u003e\n\n```bash\n# Only fail on critical findings in CI\ndockeraudit scan --k8s ./manifests/ --fail-on critical\n\n# Generate SARIF for GitHub Security tab\ndockeraudit scan --images myapp:latest --format sarif -o results.sarif\n\n```\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eFlag\u003c/th\u003e\n      \u003cth\u003eType\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n      \u003cth\u003eDefault\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--daemon\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003ebool\u003c/td\u003e\n      \u003ctd\u003eScan local Docker daemon configuration\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-d\u003c/code\u003e, \u003ccode\u003e--docker\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eDockerfile(s), docker-compose file(s), or directories to scan\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--exclude-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eExclude specific control IDs from results (e.g. \u003ccode\u003e--exclude-check IMAGE-001,RUNTIME-010\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--fail-on\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eExit non-zero if failures at this severity or above: \u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003eany\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eOutput format: \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003emarkdown\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejunit\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etable\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-h\u003c/code\u003e, \u003ccode\u003e--help\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n      \u003ctd\u003eShow help for the command\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-i\u003c/code\u003e, \u003ccode\u003e--images\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eDocker image(s) to scan (e.g. \u003ccode\u003e--images nginx:latest,myapp:v1.0\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--include-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eInclude only specific control IDs in results (e.g. \u003ccode\u003e--include-check IMAGE-001,IMAGE-005\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-k\u003c/code\u003e, \u003ccode\u003e--k8s\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eKubernetes manifest file(s) or directories to scan\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eWrite results to file\u003c/td\u003e\n      \u003ctd\u003estdout\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--runtime\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003ebool\u003c/td\u003e\n      \u003ctd\u003eScan all running containers for runtime misconfigurations\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e--scanner\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eVulnerability scanners to use: \u003ccode\u003etrivy\u003c/code\u003e, \u003ccode\u003esnyk\u003c/code\u003e, \u003ccode\u003enone\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etrivy,snyk\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-t\u003c/code\u003e, \u003ccode\u003e--tf\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eTerraform file(s) or directories to scan\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--timeout\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003eint\u003c/td\u003e\n      \u003ctd\u003eScan timeout in seconds\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003e300\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003cbr\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ccode\u003edocker\u003c/code\u003e Mode\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n```bash\ndockeraudit docker [PATH...] [flags]\n```\n\n\u003cb\u003eExamples\u003c/b\u003e\n\n```bash\n# Only fail on critical findings in CI\ndockeraudit docker Dockerfile --fail-on critical\n\n# Generate Markdown file\ndockeraudit docker docker-compose.yaml --format markdown\n```\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eFlag\u003c/th\u003e\n      \u003cth\u003eType\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n      \u003cth\u003eDefault\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--exclude-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eExclude specific control IDs from results (e.g. \u003ccode\u003e--exclude-check IMAGE-001,RUNTIME-010\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--fail-on\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eExit non-zero on: \u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003eany\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eOutput format: \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003emarkdown\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejunit\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etable\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-h\u003c/code\u003e, \u003ccode\u003e--help\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n      \u003ctd\u003eShow help for the command\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--include-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eInclude only specific control IDs in results (e.g. \u003ccode\u003e--include-check IMAGE-001,IMAGE-005\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eWrite results to file\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e--scanner\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eVulnerability scanners to use: \u003ccode\u003etrivy\u003c/code\u003e, \u003ccode\u003esnyk\u003c/code\u003e, \u003ccode\u003enone\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etrivy,snyk\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003cbr\u003e\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ccode\u003eimage\u003c/code\u003e Mode\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n```bash\ndockeraudit image [IMAGE...] [flags]\n```\n\n\u003cb\u003eExamples\u003c/b\u003e\n\n```bash\n# Scan with JSON output to file\ndockeraudit image nginx:latest --format json -o results.json\n\n# Scan multiple images in parallel\ndockeraudit image nginx:latest postgres:16 redis:7\n\n# Exclude specific checks\ndockeraudit image myapp:latest --exclude-check IMAGE-001,IMAGE-008\n```\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eFlag\u003c/th\u003e\n      \u003cth\u003eType\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n      \u003cth\u003eDefault\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--eol-file\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003ePath to JSON file with custom end-of-life image definitions (overrides built-in list)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--exclude-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eExclude specific control IDs from results (e.g. \u003ccode\u003e--exclude-check IMAGE-001,RUNTIME-010\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--fail-on\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eExit non-zero on: \u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003eany\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eOutput format: \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003emarkdown\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejunit\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etable\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-h\u003c/code\u003e, \u003ccode\u003e--help\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n      \u003ctd\u003eShow help for the command\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--include-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eInclude only specific control IDs in results (e.g. \u003ccode\u003e--include-check IMAGE-001,IMAGE-005\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eWrite results to file\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e--scanner\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eVulnerability scanners to use: \u003ccode\u003etrivy\u003c/code\u003e, \u003ccode\u003esnyk\u003c/code\u003e, \u003ccode\u003enone\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etrivy,snyk\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--timeout\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003eint\u003c/td\u003e\n      \u003ctd\u003eTimeout in seconds per image\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003e180\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003cbr\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ccode\u003ek8s\u003c/code\u003e Mode\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n```bash\ndockeraudit k8s [PATH...] [flags]\n```\n\n\u003cb\u003eExamples\u003c/b\u003e\n\n```bash\n# Scan with JSON output to file \ndockeraudit k8s ./helm_charts/ --format json -o results.json \n\n# Scan with Snyk \ndockeraudit k8s ./helm_charts/ --scanner snyk\n```\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eFlag\u003c/th\u003e\n      \u003cth\u003eType\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n      \u003cth\u003eDefault\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--exclude-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eExclude specific control IDs from results (e.g. \u003ccode\u003e--exclude-check K8S-001,K8S-003\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--fail-on\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eExit non-zero on: \u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003eany\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eOutput format: \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003emarkdown\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejunit\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etable\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-h\u003c/code\u003e, \u003ccode\u003e--help\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n      \u003ctd\u003eShow help for the command\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--include-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eInclude only specific control IDs in results (e.g. \u003ccode\u003e--include-check K8S-001,K8S-005\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eWrite results to file\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e--scanner\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eVulnerability scanners to use: \u003ccode\u003etrivy\u003c/code\u003e, \u003ccode\u003esnyk\u003c/code\u003e, \u003ccode\u003enone\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etrivy,snyk\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003cbr\u003e\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e\u003ccode\u003eterraform\u003c/code\u003e Mode\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n```bash\ndockeraudit terraform [PATH...] [flags]\n```\n\n```bash\n# Fail on medium severity findings \ndockeraudit terraform aws/ --fail-on medium\n```\n\n\u003ctable\u003e\n  \u003cthead\u003e\n    \u003ctr\u003e\n      \u003cth\u003eFlag\u003c/th\u003e\n      \u003cth\u003eType\u003c/th\u003e\n      \u003cth\u003eDescription\u003c/th\u003e\n      \u003cth\u003eDefault\u003c/th\u003e\n    \u003c/tr\u003e\n  \u003c/thead\u003e\n  \u003ctbody\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--exclude-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eExclude specific control IDs from results (e.g. \u003ccode\u003e--exclude-check IMAGE-001,RUNTIME-010\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--fail-on\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eExit non-zero on: \u003ccode\u003ecritical\u003c/code\u003e, \u003ccode\u003ehigh\u003c/code\u003e, \u003ccode\u003emedium\u003c/code\u003e, \u003ccode\u003elow\u003c/code\u003e, \u003ccode\u003eany\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003ehigh\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-f\u003c/code\u003e, \u003ccode\u003e--format\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eOutput format: \u003ccode\u003etable\u003c/code\u003e, \u003ccode\u003ejson\u003c/code\u003e, \u003ccode\u003emarkdown\u003c/code\u003e, \u003ccode\u003esarif\u003c/code\u003e, \u003ccode\u003ejunit\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etable\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-h\u003c/code\u003e, \u003ccode\u003e--help\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n      \u003ctd\u003eShow help for the command\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e--include-check\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eInclude only specific control IDs in results (e.g. \u003ccode\u003e--include-check IMAGE-001,IMAGE-005\u003c/code\u003e)\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-o\u003c/code\u003e, \u003ccode\u003e--output\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estring\u003c/td\u003e\n      \u003ctd\u003eWrite results to file\u003c/td\u003e\n      \u003ctd\u003e—\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n      \u003ctd\u003e\u003ccode\u003e-s\u003c/code\u003e, \u003ccode\u003e--scanner\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003estrings\u003c/td\u003e\n      \u003ctd\u003eVulnerability scanners to use: \u003ccode\u003etrivy\u003c/code\u003e, \u003ccode\u003esnyk\u003c/code\u003e, \u003ccode\u003enone\u003c/code\u003e\u003c/td\u003e\n      \u003ctd\u003e\u003ccode\u003etrivy,snyk\u003c/code\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/tbody\u003e\n\u003c/table\u003e\n\n\u003cbr\u003e\n\n\u003c/details\u003e\n\n\n\n\u003cdetails\u003e\u003csummary\u003e\u003cb\u003e Global Flags\u003c/b\u003e\u003c/summary\u003e\n\n\u003cbr\u003e\n\n| Flag | Default | Description |\n|------|---------|-------------|\n| `--verbose` | `false` | Print scan progress to stderr |\n| `--config` | `.dockeraudit.yaml` | Path to config file |\n| `--version` | | Print version |\n\n\u003c/details\u003e\n\n\n## Configuration File\n\ndockeraudit supports a YAML configuration file for setting default options. CLI flags always override config file values.\n\n**Config file discovery order:**\n\n1. Path specified by `--config` flag\n2. `.dockeraudit.yaml` in the current working directory\n3. `.dockeraudit.yml` in the current working directory\n\n```yaml\n# .dockeraudit.yaml\nformat: table\nfail-on: high\nverbose: false\nexclude-check:\n  - IMAGE-001\n  - RUNTIME-010\ninclude-check:        # when set, only these controls run\n  - RUNTIME-001\n  - RUNTIME-002\neol-file: custom-eol.json\n```\n\n| Option | Type | Default | Description |\n|--------|------|---------|-------------|\n| `format` | string | `table` | Output format: `table`, `json`, `markdown`, `sarif`, `junit` |\n| `fail-on` | string | `high` | Exit non-zero threshold: `critical`, `high`, `medium`, `low`, `any` |\n| `verbose` | bool | `false` | Print scan progress to stderr |\n| `exclude-check` | list | (empty) | Control IDs to exclude from results |\n| `include-check` | list | (empty) | Only include these control IDs (applied before `exclude-check`) |\n| `eol-file` | string | (empty) | Path to custom end-of-life image definitions JSON |\n\n**Example configurations:**\n\n```yaml\n# CI/CD (strict)            # Development (relaxed)       # Compliance audit\nformat: sarif                format: table                  format: json\nfail-on: critical            fail-on: any                   fail-on: low\nverbose: true                exclude-check:                 verbose: true\n                               - IMAGE-001\n                               - IMAGE-008\n```\n\nSee [.dockeraudit.example.yaml](.dockeraudit.example.yaml) for the full reference.\n\n## CI/CD Integration\n\n### GitHub Actions\n\n```yaml\n- name: Install dockeraudit\n  run: |\n    curl -sSfL \\\n      https://github.com/kariemoorman/dockeraudit/releases/latest/download/dockeraudit_linux_amd64.tar.gz \\\n      | tar -xz -C /usr/local/bin dockeraudit\n\n- name: Scan\n  run: |\n    dockeraudit scan \\\n      --images myapp:${{ github.sha }} \\\n      --k8s ./k8s/ \\\n      --format sarif \\\n      --output results.sarif \\\n      --fail-on critical\n\n- name: Upload SARIF\n  uses: github/codeql-action/upload-sarif@v3\n  if: always()\n  with:\n    sarif_file: results.sarif\n```\n\n\n### GitLab CI\n\n```yaml\ndockeraudit:\n  stage: security\n  image: ubuntu:24.04\n  before_script:\n    - apt-get update\n    - apt-get install -y --no-install-recommends curl ca-certificates\n    - |\n      curl -sSfL \\\n        https://github.com/kariemoorman/dockeraudit/releases/latest/download/dockeraudit_linux_amd64.tar.gz \\\n        | tar -xz -C /usr/local/bin dockeraudit\n  script:\n    - dockeraudit k8s ./k8s/ --format json -o report.json --fail-on high\n  artifacts:\n    paths: [report.json]\n    when: always\n  allow_failure: true\n```\n\n\n## Shell Completion\n\nGenerate shell completion scripts:\n\n```bash\n# Bash\n## Per-user — add to `~/.bashrc`:\nsource \u003c(dockeraudit completion bash)\n\n# Zsh\nsource \u003c(dockeraudit completion zsh)\n\n# Fish\nmkdir -p ~/.config/fish/completions\ndockeraudit completion fish \u003e ~/.config/fish/completions/dockeraudit.fish\n\n# PowerShell\ndockeraudit completion powershell \u003e\u003e $PROFILE\n\n```\n\n## Security Controls\n\ndockeraudit evaluates **80+ controls** across **12 security domains**:\n\n\n| Domain | Controls | What It Covers |\n|--------|----------|----------------|\n| **Host** | 6 | Minimal OS, patching, firewall, SELinux/AppArmor, auditd, Bottlerocket |\n| **Daemon** | 8 | Docker socket, TCP/port 2375 exposure, userns-remap, content trust, log rotation |\n| **Image** | 16 | Digest pinning, secrets in layers, SUID files, non-root USER, EOL images, debug tools, package verification bypass, recursive COPY, multi-stage builds |\n| **Runtime** | 16 | Privileged mode, capabilities, read-only rootfs, host namespaces, resource limits, health probes, seccomp, AppArmor/SELinux, automountSA, ulimits, restart policies |\n| **Registry** | 4 | Insecure-registries in daemon config, unauthenticated/http registry refs in Dockerfiles/Compose/k8s, ECR/GAR/ACR IAM least-privilege, lifecycle/retention policies |\n| **Network** | 2 | Default-deny NetworkPolicy, cloud metadata endpoint blocked |\n| **Secrets** | 3 | External secrets manager, RBAC-scoped secret access, AI/API key detection |\n| **Supply Chain** | 3 | Image signing, SBOM attestation, immutable registry tags |\n| **Monitoring** | 2 | Runtime threat detection (Falco), Kubernetes audit logging |\n| **Database** | 12 | Admin tools, startup flags, auth config, service types, encryption, persistent storage, annotations |\n| **Kubernetes** | 3 | Namespace isolation, pod anti-affinity/topology spread, IaC vulnerability scanning (Trivy/Snyk) |\n| **Terraform** | 9 | S3 public access/versioning, ECS privileged/non-root/read-only rootfs, security group ingress, KMS encryption, CloudTrail logging, IaC vulnerability scanning (Trivy/Snyk) |\n\n\u003cbr\u003e\n\nRun `dockeraudit report controls` for the full list.\n\n## License\n\nThis project is licensed under the BSD License. See [LICENSE](LICENSE) for details.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkariemoorman%2Fdockeraudit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkariemoorman%2Fdockeraudit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkariemoorman%2Fdockeraudit/lists"}