
By Daniel Garcia (cr0hn) | GitHub | Website
Features • Installation • Quick Start • Documentation • Use Cases • What's New • Contributing
DockerScan v2.0 is a next-generation security scanner for Docker containers and images, completely rewritten in Go. It combines multiple security scanning techniques based on the latest 2024-2025 research, industry standards (CIS Benchmark, NIST SP 800-190), and real-world attack patterns discovered in production environments.
Complete compliance checking with 80+ automated controls: - ✅ Host configuration security (13 checks) - ✅ Docker daemon hardening (18 checks) - ✅ File & directory permissions (9 checks) - ✅ Container image best practices (13 checks) - ✅ Runtime security validation (31+ checks) - ✅ Security operations compliance
Based on real 2024 attack campaigns: - ✅ Imageless Container Detection - Identifies malicious containers with no actual layers (4M+ found on Docker Hub) - ✅ Cryptocurrency Miner Detection - Detects mining malware (120K+ malicious image pulls detected) - ✅ Backdoored Library Detection - Catches compromised dependencies (xz-utils, liblzma incidents) - ✅ Image Signature Verification - Validates signatures using Notary/Cosign - ✅ Phishing Content Detection - Scans documentation for social engineering - ✅ Malicious Network Destinations - Identifies C2 servers, mining pools, Tor nodes
40+ secret patterns including modern APIs (2024 update): - ✅ Cloud Providers: AWS, GCP, Azure credentials - ✅ Version Control: GitHub, GitLab, Bitbucket tokens - ✅ AI/ML APIs: OpenAI, Anthropic, Hugging Face keys - ✅ Payment: Stripe, PayPal, Square keys - ✅ Communication: Slack, SendGrid, Twilio, Mailchimp - ✅ Authentication: JWT tokens, OAuth tokens - ✅ Crypto: Private keys (RSA, SSH, PGP, EC, DSA), certificates - ✅ Databases: PostgreSQL, MySQL, MongoDB connection strings - ✅ Docker: Registry authentication tokens - ✅ Entropy Analysis: Shannon entropy calculation for unknown secrets (>4.5 threshold)
Critical 2024-2025 CVE detection: - ✅ CVE-2024-21626 - runc container escape (CVSS 8.6) - ✅ CVE-2024-23651 - BuildKit cache poisoning RCE (CVSS 9.1) - ✅ CVE-2024-23652 - BuildKit race condition (CVSS 7.5) - ✅ CVE-2024-23653 - BuildKit privilege escalation - ✅ CVE-2024-8695/8696 - Docker Desktop RCE (CVSS 8.8) - ✅ CVE-2025-9074 - Docker Desktop local access vulnerability - ✅ End-of-life base image detection - ✅ Known vulnerable package scanning
Container runtime hardening checks: - ✅ Linux Capabilities Auditing - Detects dangerous capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN, etc.) - ✅ Seccomp Profile Validation - Ensures syscall filtering is enabled - ✅ AppArmor/SELinux Checks - Mandatory access control verification - ✅ Privileged Container Detection - Identifies containers with full host access - ✅ Namespace Isolation - PID, IPC, network, user namespace checks - ✅ Container Escape Indicators - Detects common escape techniques
DockerScan v2.0 is a complete rewrite from the ground up. Here's what changed from v1.x:
| Feature | v1.x (Python) | v2.0 (Go) |
|---|---|---|
| Language | Python 3.5+ | Go 1.21+ |
| Performance | ~500 images/hour | ~5000 images/hour |
| Memory Usage | 200-500 MB | 50-100 MB |
| Distribution | pip install + deps | Single binary |
| Security Scanners | 2 modules | 5 modules |
| CIS Benchmark | Partial | Full v1.7.0 (80+ checks) |
| Supply Chain | ❌ Not available | ✅ Based on 2024 research |
| Secret Patterns | 10 patterns | 40+ patterns |
| CVE Detection | Basic | 2024-2025 CVEs |
| Runtime Security | ❌ Not available | ✅ Full capabilities audit |
| SARIF Output | ❌ Not available | ✅ Full support |
| CI/CD Integration | Manual | Native (exit codes, SARIF) |
--from-file flag - Install CVE database from local file (offline/air-gapped)-q) - Suppress banner for CI/CD pipelinesPre-compiled binaries are automatically built and released via GitHub Actions for every version tag.
Supported Platforms: - Linux: amd64, arm64, 386 - macOS: amd64 (Intel), arm64 (Apple Silicon) - Windows: amd64, arm64, 386 - FreeBSD: amd64
curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-linux-amd64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/
curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-linux-arm64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/
curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-darwin-amd64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/
curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-darwin-arm64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/
Invoke-WebRequest -Uri "https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-windows-amd64.exe" -OutFile "dockerscan.exe"
# Download checksums
curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/checksums.txt -o checksums.txt
# Verify (Linux/macOS)
sha256sum -c checksums.txt --ignore-missing
# Clone repository
git clone https://github.com/cr0hn/dockerscan
cd dockerscan/dockerscan-v2
# Build
make build
# Install
sudo make install
# Or build manually
go build -o bin/dockerscan ./cmd/dockerscan
go install github.com/cr0hn/dockerscan/v2/cmd/dockerscan@latest
Before scanning, download the CVE database (updated daily, ~30MB compressed):
# Download latest CVE database from GitHub
dockerscan update-db
Tip: The database is updated daily via GitHub Actions. Run
update-dbperiodically to get the latest CVE data.
# Scan a Docker image
dockerscan nginx:latest
# Scan with specific scanners
dockerscan --scanners cis,secrets ubuntu:22.04
# Scan and save reports
dockerscan alpine:latest --output /tmp/reports
# Quiet mode (suppress banner)
dockerscan -q nginx:latest
╔══════════════════════════════════════════════════════════════════════════╗
║ ██████╗ ██████╗ ██████╗██╗ ██╗███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗ ██╗
║ ██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗ ██║
║ ██║ ██║██║ ██║██║ █████╔╝ █████╗ ██████╔╝███████╗██║ ███████║██╔██╗ ██║
║ ██║ ██║██║ ██║██║ ██╔═██╗ ██╔══╝ ██╔══██╗╚════██║██║ ██╔══██║██║╚██╗██║
║ ██████╔╝╚██████╔╝╚██████╗██║ ██╗███████╗██║ ██║███████║╚██████╗██║ ██║██║ ╚████║
║ ║
║ Advanced Docker Security Scanner v2.0.0 ║
║ ║
║ Author: Daniel Garcia (cr0hn) ║
║ Website: https://cr0hn.com ║
╚══════════════════════════════════════════════════════════════════════════════════════╝
🔍 Scanning image: nginx:latest
═══════════════════════════════════════════════════════════════════
SCAN RESULTS
═══════════════════════════════════════════════════════════════════
📊 Summary:
Total Findings: 47
Duration: 2.3s
🔴 By Severity:
Critical: 8
High: 15
Medium: 18
Low: 6
📁 By Category:
CIS-Benchmark: 12
Secrets: 8
Supply-Chain: 5
Vulnerability: 10
Runtime-Security: 12
📄 JSON report saved to: dockerscan-report.json
📄 SARIF report saved to: dockerscan-report.sarif
```bash
dockerscan [COMMAND] [OPTIONS]
Commands: scan Scan a Docker image (default) update-db Download or update the CVE database Options: --from-file
Options: -h, --help Show help message -v, --version Show version -q, --quiet Suppress banner output (quiet mode) --scanners SCANNERS Comma-separated list of scanners to run (default: all) Options: cis,secrets,supplychain,vulnerabilities,runtime --output DIR Output directory for reports (default: .) --only-critical Show only critical/high severity findings --verbose Verbose output
Authent
$ claude mcp add dockerscan \
-- python -m otcore.mcp_server <graph>