https://github.com/kariemoorman/dockeraudit
A container security auditing toolkit, with trivy and snyk CVE scanning integration
https://github.com/kariemoorman/dockeraudit
container-security docker docker-security k8s
Last synced: 8 days ago
JSON representation
A container security auditing toolkit, with trivy and snyk CVE scanning integration
- Host: GitHub
- URL: https://github.com/kariemoorman/dockeraudit
- Owner: kariemoorman
- License: other
- Created: 2026-03-08T16:12:43.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-03-26T01:59:21.000Z (about 1 month ago)
- Last Synced: 2026-03-26T23:40:54.700Z (about 1 month ago)
- Topics: container-security, docker, docker-security, k8s
- Language: Go
- Homepage:
- Size: 115 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
Awesome Lists containing this project
README
dockeraudit
A CONTAINER SECURITY AUDITING TOOLKIT
Aligned to CIS Docker Benchmark v1.8+, NIST SP 800-190, and DoDI 8510.01 RMF controls.
## Badges
## Table of Contents
- [Features](#features)
- [Installation](#installation)
- [Quick Start](#quick-start)
- [Examples](#examples)
- [Usage](#usage)
- [Configuration File](#configuration-file)
- [CI/CD Integration](#cicd-integration)
- [Shell Completion](#shell-completion)
- [Security Controls](#security-controls)
- [License](#license)
## Features
**80+ Security Controls**:
- Includes security controls across 12 domains with compliance mappings to CIS, NIST 800-53, NIST 800-190, ISO 27001, SOC 2, and DISA CCI.
**Docker Scanning**:
- Audits Images, Dockerfiles, & Docker Compose configurations for misconfigurations, secrets, and other security vulnerabilities.
**Kubernetes Manifest Scanning**:
- Audits k8s manifests and helm charts for misconfigurations, secrets, and other security vulnerabilities.
**Terraform Configuration Scanning**:
- Audits terraform files for misconfigurations, secrets, and other security vulnerabilities, including cloud resources (e.g., AWS: ECR, EKS, S3, ECS, RDS, ElastiCache, DynamoDB).
**Secrets Detection**:
- 76+ regex patterns with confidence scoring and false-positive suppression.
**Vulnerability Detection**:
- Uses Trivy and Snyk for CVE scanning via `--scanner` flag.
**Auto-Saved Reports**:
- Each scan writes a timestamped copy to `scans/` for audit trails.
- 5 output formats - table (TXT), JSON, Markdown, SARIF (GitHub Security), JUnit (CI/CD).
**CI/CD Ready**:
- Configurable exit codes with `--fail-on` threshold, SARIF upload to GitHub Security tab.
## Installation
### From Source
Requires **Go 1.25+**.
```bash
git clone https://github.com/kariemoorman/dockeraudit.git
cd dockeraudit
make build
```
### Go Install
```bash
go install github.com/kariemoorman/dockeraudit/cmd/dockeraudit@latest
```
*Note: ensure Go binary directory is on your PATH, then reload your shell config file:*
```bash
export PATH=$PATH:$HOME/go/bin
or
export PATH=$PATH:$(go env GOPATH)/bin
source ~/.bashrc
or
source ~/.zshrc
```
### Verify Installation
```bash
dockeraudit --version
```
## Quick Start
```bash
# Scan a Docker image
dockeraudit image nginx:latest
# Scan Dockerfiles and Compose files
dockeraudit docker Dockerfile docker-compose.yml --scanner trivy
# Scan Kubernetes manifests
dockeraudit k8s ./manifests/
# Scan a Helm chart (rendered via `helm template` before scanning)
dockeraudit k8s ./helm_chart/
# Scan Terraform files
dockeraudit terraform ./infrastructure/
# Scan everything in one pass
dockeraudit scan \
--images nginx:latest \
--docker ./ \
--k8s ./k8s/ \
--tf ./terraform/ \
--format markdown
```
## Examples
### Docker
### Image
### k8s
### Terraform
## Usage
### Scan Modes
| Mode | Description |
|---------|-------------|
| `scan` | Run all applicable scanners in a single pass |
| `image` | Scan Docker images for hardening issues |
| `docker` | Scan Dockerfiles and Docker Compose files |
| `k8s` | Scan Kubernetes manifests for security misconfigurations |
| `terraform` | Scan Terraform files for container security issues |
| `report controls` | List all hardening controls with compliance mappings |
| `completion` | Generate shell completion scripts (bash/zsh/fish/powershell) |
### Command Flags
scan Mode
```bash
dockeraudit scan [flags]
```
Examples
```bash
# Only fail on critical findings in CI
dockeraudit scan --k8s ./manifests/ --fail-on critical
# Generate SARIF for GitHub Security tab
dockeraudit scan --images myapp:latest --format sarif -o results.sarif
```
Flag
Type
Description
Default
--daemon
bool
Scan local Docker daemon configuration
—
-d, --docker
strings
Dockerfile(s), docker-compose file(s), or directories to scan
—
--exclude-check
strings
Exclude specific control IDs from results (e.g. --exclude-check IMAGE-001,RUNTIME-010)
—
--fail-on
string
Exit non-zero if failures at this severity or above: critical, high, medium, low, any
high
-f, --format
string
Output format: table, json, markdown, sarif, junit
table
-h, --help
—
Show help for the command
—
-i, --images
strings
Docker image(s) to scan (e.g. --images nginx:latest,myapp:v1.0)
—
--include-check
strings
Include only specific control IDs in results (e.g. --include-check IMAGE-001,IMAGE-005)
—
-k, --k8s
strings
Kubernetes manifest file(s) or directories to scan
—
-o, --output
string
Write results to file
stdout
--runtime
bool
Scan all running containers for runtime misconfigurations
—
-s, --scanner
strings
Vulnerability scanners to use: trivy, snyk, none
trivy,snyk
-t, --tf
strings
Terraform file(s) or directories to scan
—
--timeout
int
Scan timeout in seconds
300
docker Mode
```bash
dockeraudit docker [PATH...] [flags]
```
Examples
```bash
# Only fail on critical findings in CI
dockeraudit docker Dockerfile --fail-on critical
# Generate Markdown file
dockeraudit docker docker-compose.yaml --format markdown
```
Flag
Type
Description
Default
--exclude-check
strings
Exclude specific control IDs from results (e.g. --exclude-check IMAGE-001,RUNTIME-010)
—
--fail-on
string
Exit non-zero on: critical, high, medium, low, any
high
-f, --format
string
Output format: table, json, markdown, sarif, junit
table
-h, --help
—
Show help for the command
—
--include-check
strings
Include only specific control IDs in results (e.g. --include-check IMAGE-001,IMAGE-005)
—
-o, --output
string
Write results to file
—
-s, --scanner
strings
Vulnerability scanners to use: trivy, snyk, none
trivy,snyk
image Mode
```bash
dockeraudit image [IMAGE...] [flags]
```
Examples
```bash
# Scan with JSON output to file
dockeraudit image nginx:latest --format json -o results.json
# Scan multiple images in parallel
dockeraudit image nginx:latest postgres:16 redis:7
# Exclude specific checks
dockeraudit image myapp:latest --exclude-check IMAGE-001,IMAGE-008
```
Flag
Type
Description
Default
--eol-file
string
Path to JSON file with custom end-of-life image definitions (overrides built-in list)
—
--exclude-check
strings
Exclude specific control IDs from results (e.g. --exclude-check IMAGE-001,RUNTIME-010)
—
--fail-on
string
Exit non-zero on: critical, high, medium, low, any
high
-f, --format
string
Output format: table, json, markdown, sarif, junit
table
-h, --help
—
Show help for the command
—
--include-check
strings
Include only specific control IDs in results (e.g. --include-check IMAGE-001,IMAGE-005)
—
-o, --output
string
Write results to file
—
-s, --scanner
strings
Vulnerability scanners to use: trivy, snyk, none
trivy,snyk
--timeout
int
Timeout in seconds per image
180
k8s Mode
```bash
dockeraudit k8s [PATH...] [flags]
```
Examples
```bash
# Scan with JSON output to file
dockeraudit k8s ./helm_charts/ --format json -o results.json
# Scan with Snyk
dockeraudit k8s ./helm_charts/ --scanner snyk
```
Flag
Type
Description
Default
--exclude-check
strings
Exclude specific control IDs from results (e.g. --exclude-check K8S-001,K8S-003)
—
--fail-on
string
Exit non-zero on: critical, high, medium, low, any
high
-f, --format
string
Output format: table, json, markdown, sarif, junit
table
-h, --help
—
Show help for the command
—
--include-check
strings
Include only specific control IDs in results (e.g. --include-check K8S-001,K8S-005)
—
-o, --output
string
Write results to file
—
-s, --scanner
strings
Vulnerability scanners to use: trivy, snyk, none
trivy,snyk
terraform Mode
```bash
dockeraudit terraform [PATH...] [flags]
```
```bash
# Fail on medium severity findings
dockeraudit terraform aws/ --fail-on medium
```
Flag
Type
Description
Default
--exclude-check
strings
Exclude specific control IDs from results (e.g. --exclude-check IMAGE-001,RUNTIME-010)
—
--fail-on
string
Exit non-zero on: critical, high, medium, low, any
high
-f, --format
string
Output format: table, json, markdown, sarif, junit
table
-h, --help
—
Show help for the command
—
--include-check
strings
Include only specific control IDs in results (e.g. --include-check IMAGE-001,IMAGE-005)
—
-o, --output
string
Write results to file
—
-s, --scanner
strings
Vulnerability scanners to use: trivy, snyk, none
trivy,snyk
Global Flags
| Flag | Default | Description |
|------|---------|-------------|
| `--verbose` | `false` | Print scan progress to stderr |
| `--config` | `.dockeraudit.yaml` | Path to config file |
| `--version` | | Print version |
## Configuration File
dockeraudit supports a YAML configuration file for setting default options. CLI flags always override config file values.
**Config file discovery order:**
1. Path specified by `--config` flag
2. `.dockeraudit.yaml` in the current working directory
3. `.dockeraudit.yml` in the current working directory
```yaml
# .dockeraudit.yaml
format: table
fail-on: high
verbose: false
exclude-check:
- IMAGE-001
- RUNTIME-010
include-check: # when set, only these controls run
- RUNTIME-001
- RUNTIME-002
eol-file: custom-eol.json
```
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| `format` | string | `table` | Output format: `table`, `json`, `markdown`, `sarif`, `junit` |
| `fail-on` | string | `high` | Exit non-zero threshold: `critical`, `high`, `medium`, `low`, `any` |
| `verbose` | bool | `false` | Print scan progress to stderr |
| `exclude-check` | list | (empty) | Control IDs to exclude from results |
| `include-check` | list | (empty) | Only include these control IDs (applied before `exclude-check`) |
| `eol-file` | string | (empty) | Path to custom end-of-life image definitions JSON |
**Example configurations:**
```yaml
# CI/CD (strict) # Development (relaxed) # Compliance audit
format: sarif format: table format: json
fail-on: critical fail-on: any fail-on: low
verbose: true exclude-check: verbose: true
- IMAGE-001
- IMAGE-008
```
See [.dockeraudit.example.yaml](.dockeraudit.example.yaml) for the full reference.
## CI/CD Integration
### GitHub Actions
```yaml
- name: Install dockeraudit
run: |
curl -sSfL \
https://github.com/kariemoorman/dockeraudit/releases/latest/download/dockeraudit_linux_amd64.tar.gz \
| tar -xz -C /usr/local/bin dockeraudit
- name: Scan
run: |
dockeraudit scan \
--images myapp:${{ github.sha }} \
--k8s ./k8s/ \
--format sarif \
--output results.sarif \
--fail-on critical
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: results.sarif
```
### GitLab CI
```yaml
dockeraudit:
stage: security
image: ubuntu:24.04
before_script:
- apt-get update
- apt-get install -y --no-install-recommends curl ca-certificates
- |
curl -sSfL \
https://github.com/kariemoorman/dockeraudit/releases/latest/download/dockeraudit_linux_amd64.tar.gz \
| tar -xz -C /usr/local/bin dockeraudit
script:
- dockeraudit k8s ./k8s/ --format json -o report.json --fail-on high
artifacts:
paths: [report.json]
when: always
allow_failure: true
```
## Shell Completion
Generate shell completion scripts:
```bash
# Bash
## Per-user — add to `~/.bashrc`:
source <(dockeraudit completion bash)
# Zsh
source <(dockeraudit completion zsh)
# Fish
mkdir -p ~/.config/fish/completions
dockeraudit completion fish > ~/.config/fish/completions/dockeraudit.fish
# PowerShell
dockeraudit completion powershell >> $PROFILE
```
## Security Controls
dockeraudit evaluates **80+ controls** across **12 security domains**:
| Domain | Controls | What It Covers |
|--------|----------|----------------|
| **Host** | 6 | Minimal OS, patching, firewall, SELinux/AppArmor, auditd, Bottlerocket |
| **Daemon** | 8 | Docker socket, TCP/port 2375 exposure, userns-remap, content trust, log rotation |
| **Image** | 16 | Digest pinning, secrets in layers, SUID files, non-root USER, EOL images, debug tools, package verification bypass, recursive COPY, multi-stage builds |
| **Runtime** | 16 | Privileged mode, capabilities, read-only rootfs, host namespaces, resource limits, health probes, seccomp, AppArmor/SELinux, automountSA, ulimits, restart policies |
| **Registry** | 4 | Insecure-registries in daemon config, unauthenticated/http registry refs in Dockerfiles/Compose/k8s, ECR/GAR/ACR IAM least-privilege, lifecycle/retention policies |
| **Network** | 2 | Default-deny NetworkPolicy, cloud metadata endpoint blocked |
| **Secrets** | 3 | External secrets manager, RBAC-scoped secret access, AI/API key detection |
| **Supply Chain** | 3 | Image signing, SBOM attestation, immutable registry tags |
| **Monitoring** | 2 | Runtime threat detection (Falco), Kubernetes audit logging |
| **Database** | 12 | Admin tools, startup flags, auth config, service types, encryption, persistent storage, annotations |
| **Kubernetes** | 3 | Namespace isolation, pod anti-affinity/topology spread, IaC vulnerability scanning (Trivy/Snyk) |
| **Terraform** | 9 | S3 public access/versioning, ECS privileged/non-root/read-only rootfs, security group ingress, KMS encryption, CloudTrail logging, IaC vulnerability scanning (Trivy/Snyk) |
Run `dockeraudit report controls` for the full list.
## License
This project is licensed under the BSD License. See [LICENSE](LICENSE) for details.