https://github.com/owasp/docksec
AI-Powered Docker Security Analyzer
https://github.com/owasp/docksec
Last synced: 29 days ago
JSON representation
AI-Powered Docker Security Analyzer
- Host: GitHub
- URL: https://github.com/owasp/docksec
- Owner: OWASP
- License: mit
- Created: 2025-02-15T02:49:30.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2026-05-14T16:49:41.000Z (about 1 month ago)
- Last Synced: 2026-05-14T18:35:22.396Z (about 1 month ago)
- Language: Python
- Size: 29 MB
- Stars: 180
- Watchers: 3
- Forks: 51
- Open Issues: 26
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: docs/SECURITY.md
Awesome Lists containing this project
README
[](https://owasp.org/DockSec/) [](https://owasp.org/DockSec/) [](https://owasp.slack.com/archives/C0APXGCUW7M) [](https://github.com/OWASP/DockSec/actions)
[](https://github.com/OWASP/DockSec/blob/main/LICENSE) [](https://github.com/OWASP/DockSec/commits/main/) [](https://github.com/OWASP/DockSec/graphs/contributors)
[](https://github.com/OWASP/DockSec/network/members) [](https://github.com/OWASP/DockSec/stargazers) 
[](https://github.com/OWASP/DockSec/issues) [](https://github.com/OWASP/DockSec/pulls)
[](https://github.com/OWASP/DockSec/commit/80664db8935e4b5ab44df5867913e)
# [DockSec](https://owasp.org/DockSec/)
**AI-powered Docker security scanner that explains vulnerabilities in plain English**
---
## What is DockSec?
DockSec is an **OWASP Incubator Project** that bridges the gap between complex security scan results and actionable developer fixes. It integrates industry-standard scanners (Trivy, Hadolint, Docker Scout) with advanced AI to provide **context-aware security analysis**.
Instead of overwhelming you with a list of 200+ CVEs, DockSec:
- **Prioritizes** what actually affects your specific container setup.
- **Explains** vulnerabilities in plain English, not just security jargon.
- **Suggests** specific, line-by-line fixes for your Dockerfile.
- **Generates** professional, interactive security reports for your team.
Think of it as having a security expert sitting right next to you, reviewing your Dockerfiles in real-time.
---
## How It Works
DockSec workflow: From scanning to actionable insights
DockSec follows a robust four-stage pipeline:
1. **Scan**: Runs Trivy, Hadolint, and Docker Scout locally on your environment.
2. **Analyze**: AI correlates findings across all scanners to remove noise and assess real-world impact.
3. **Recommend**: Generates human-readable explanations and specific remediation steps.
4. **Report**: Exports actionable results in JSON, PDF, HTML, or Markdown formats.
---
## Leaders
DockSec is led by a dedicated team committed to making container security accessible.
- [Advait Patel](https://github.com/advaitpatel) - Project Lead
For questions or discussions, please join the [#project-docksec](https://owasp.slack.com/archives/C0APXGCUW7M) channel on OWASP Slack.
---
## Quick Start
### GitHub Action
Integrate DockSec into your GitHub Actions workflow:
```yaml
- name: Run DockSec AI Scanner
uses: OWASP/DockSec@main
with:
dockerfile: 'Dockerfile'
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
```
### CLI Usage
```bash
# Install DockSec
pip install docksec
# Scan a Dockerfile (AI-powered)
# Reports will be saved to ~/.docksec/results/
docksec Dockerfile
# Scan Dockerfile + Docker image
docksec Dockerfile -i myapp:latest
# Scan only a Docker image
docksec --image-only -i myapp:latest
# Fast scan only (no AI)
docksec Dockerfile --scan-only
```
---
## Features
- **Smart Analysis**: AI explains what vulnerabilities mean for *your* specific setup.
- **Multi-LLM Support**: Use OpenAI, Anthropic Claude (4.x), Google Gemini (1.5+), or local models via Ollama.
- **Deep Integration**: Combines Trivy (vulnerabilities), Hadolint (linting), and Docker Scout.
- **Security Scoring**: Get a 0-100 score to track your security posture over time.
- **Centralized Reporting**: All reports are neatly organized in `~/.docksec/results/` by default.
- **Rich Formats**: Professional exports in HTML (interactive), PDF, JSON, and CSV.
- **CI/CD Ready**: Designed for easy integration into GitHub Actions and build pipelines.
- **GitHub Action**: Available on the GitHub Marketplace for automated security scans.
---
## Contributing
DockSec thrives on community contributions. Whether you are a developer, designer, or security enthusiast, there are many ways to get involved:
- **Code Contributions**: Fix bugs or add new features.
- **Documentation**: Improve guides or create tutorials.
- **Issue Reporting**: Identify and report bugs.
- **Feedback**: Share your experience and suggestions.
To get started, check out our [Contributing Guidelines](CONTRIBUTING.md), [Code of Conduct](CODE_OF_CONDUCT.md), and [Sponsorship Guide](SPONSORSHIP.md).
---
## Community and Social Media
- **OWASP Project Page**: [owasp.org/DockSec/](https://owasp.org/DockSec/)
- **OWASP Slack**: [#project-docksec](https://owasp.slack.com/archives/C0APXGCUW7M)
- **PyPI**: [pypi.org/project/docksec/](https://pypi.org/project/docksec/)
- **Issues**: [Report a bug](https://github.com/OWASP/DockSec/issues)
---
If DockSec helps you, give it a ⭐ to help others discover it!
Built with ❤️ by Advait Patel and the OWASP community.