MCPcopy Index your code
hub / github.com/cr0hn/dockerscan

github.com/cr0hn/dockerscan @v2.0.6

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.0.6 ↗ · + Follow
378 symbols 1,133 edges 38 files 239 documented · 63% updated 1d agov2.0.6 · 2026-06-11★ 1,6375 open issues
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

DockerScan Logo

DockerScan v2.0

The Most Comprehensive Docker Security Scanner

License Go Version Version CI/CD Test Coverage Go Report Card Downloads

By Daniel Garcia (cr0hn) | GitHub | Website


FeaturesInstallationQuick StartDocumentationUse CasesWhat's NewContributing


📑 Table of Contents


🎯 Overview

DockerScan v2.0 is a next-generation security scanner for Docker containers and images, completely rewritten in Go. It combines multiple security scanning techniques based on the latest 2024-2025 research, industry standards (CIS Benchmark, NIST SP 800-190), and real-world attack patterns discovered in production environments.

Why DockerScan v2.0?

  • Most Comprehensive: Combines 5+ security scanning techniques in one tool
  • Latest Research: Based on 2024-2025 supply chain attacks and CVEs
  • Production Ready: SARIF output for CI/CD, exit codes for automation
  • Blazing Fast: Written in Go with concurrent scanning
  • Extensible: Plugin architecture for custom scanners
  • Free & Open Source: BSD-3 license

🌟 Features

🛡️ Security Scanning Modules

1. CIS Docker Benchmark v1.7.0

Complete compliance checking with 80+ automated controls: - ✅ Host configuration security (13 checks) - ✅ Docker daemon hardening (18 checks) - ✅ File & directory permissions (9 checks) - ✅ Container image best practices (13 checks) - ✅ Runtime security validation (31+ checks) - ✅ Security operations compliance

2. Supply Chain Attack Detection 🆕

Based on real 2024 attack campaigns: - ✅ Imageless Container Detection - Identifies malicious containers with no actual layers (4M+ found on Docker Hub) - ✅ Cryptocurrency Miner Detection - Detects mining malware (120K+ malicious image pulls detected) - ✅ Backdoored Library Detection - Catches compromised dependencies (xz-utils, liblzma incidents) - ✅ Image Signature Verification - Validates signatures using Notary/Cosign - ✅ Phishing Content Detection - Scans documentation for social engineering - ✅ Malicious Network Destinations - Identifies C2 servers, mining pools, Tor nodes

3. Advanced Secrets Detection 🔑

40+ secret patterns including modern APIs (2024 update): - ✅ Cloud Providers: AWS, GCP, Azure credentials - ✅ Version Control: GitHub, GitLab, Bitbucket tokens - ✅ AI/ML APIs: OpenAI, Anthropic, Hugging Face keys - ✅ Payment: Stripe, PayPal, Square keys - ✅ Communication: Slack, SendGrid, Twilio, Mailchimp - ✅ Authentication: JWT tokens, OAuth tokens - ✅ Crypto: Private keys (RSA, SSH, PGP, EC, DSA), certificates - ✅ Databases: PostgreSQL, MySQL, MongoDB connection strings - ✅ Docker: Registry authentication tokens - ✅ Entropy Analysis: Shannon entropy calculation for unknown secrets (>4.5 threshold)

4. CVE & Vulnerability Scanning 🚨

Critical 2024-2025 CVE detection: - ✅ CVE-2024-21626 - runc container escape (CVSS 8.6) - ✅ CVE-2024-23651 - BuildKit cache poisoning RCE (CVSS 9.1) - ✅ CVE-2024-23652 - BuildKit race condition (CVSS 7.5) - ✅ CVE-2024-23653 - BuildKit privilege escalation - ✅ CVE-2024-8695/8696 - Docker Desktop RCE (CVSS 8.8) - ✅ CVE-2025-9074 - Docker Desktop local access vulnerability - ✅ End-of-life base image detection - ✅ Known vulnerable package scanning

5. Runtime Security Analysis ⚙️

Container runtime hardening checks: - ✅ Linux Capabilities Auditing - Detects dangerous capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN, etc.) - ✅ Seccomp Profile Validation - Ensures syscall filtering is enabled - ✅ AppArmor/SELinux Checks - Mandatory access control verification - ✅ Privileged Container Detection - Identifies containers with full host access - ✅ Namespace Isolation - PID, IPC, network, user namespace checks - ✅ Container Escape Indicators - Detects common escape techniques

📊 Reporting & Integration

  • JSON - Machine-readable output for automation
  • SARIF - Native integration with:
  • GitHub Security tab
  • Azure DevOps
  • VS Code extensions
  • GitLab security dashboards
  • Beautiful CLI - Color-coded severity levels with emojis
  • Exit Codes - CI/CD friendly (0=clean, 1=warnings, 2=critical)

🚀 Performance

  • 10x Faster than Python alternatives
  • 🔄 Concurrent Scanning with Go goroutines
  • 💾 Low Memory footprint (~50-100MB)
  • 📦 Single Binary - No dependencies

🆕 What's New in v2.0?

DockerScan v2.0 is a complete rewrite from the ground up. Here's what changed from v1.x:

Major Changes

Feature v1.x (Python) v2.0 (Go)
Language Python 3.5+ Go 1.21+
Performance ~500 images/hour ~5000 images/hour
Memory Usage 200-500 MB 50-100 MB
Distribution pip install + deps Single binary
Security Scanners 2 modules 5 modules
CIS Benchmark Partial Full v1.7.0 (80+ checks)
Supply Chain ❌ Not available ✅ Based on 2024 research
Secret Patterns 10 patterns 40+ patterns
CVE Detection Basic 2024-2025 CVEs
Runtime Security ❌ Not available ✅ Full capabilities audit
SARIF Output ❌ Not available ✅ Full support
CI/CD Integration Manual Native (exit codes, SARIF)

What's Preserved from v1.x

  • Offensive Tools - Image trojanization capabilities (coming soon in v2.1)
  • Registry Operations - Push, pull, delete operations (coming soon in v2.1)
  • Network Scanning - Docker registry discovery (coming soon in v2.1)

New in v2.0.5 🔐

  • 🔑 Private Registry Authentication - Full support for scanning images from private registries (fixes #24)
  • 🌐 Multi-Registry Support - Docker Hub, GHCR, ECR, GCR, ACR, GitLab, and self-hosted registries
  • 🔐 Multiple Auth Methods - Environment variables (CI/CD), CLI flags (testing), Docker config file (seamless)
  • 🎯 Smart Auth Priority - CLI flags > ENV vars > Docker config (automatic selection)
  • 📝 Enhanced Error Messages - Registry-specific hints (ECR token expiration, rate limits, certificates)
  • 🧪 Comprehensive Testing - 64 test cases, 91.2% coverage, tested with real private registry
  • 📚 Complete Documentation - Examples for all major cloud registries and authentication methods

New in v2.0.4

  • 🗄️ CVE Database Integration - Local SQLite database with NVD data (2.5 years of CVEs)
  • 🔄 Daily Auto-Updates - GitHub Action updates the CVE database every day
  • Parallel CVE Downloads - 4 workers for faster database builds (nvd2sqlite)
  • 🔁 Retry with Backoff - Automatic retry for rate-limited NVD API requests
  • 📦 --from-file flag - Install CVE database from local file (offline/air-gapped)
  • 🔇 Quiet mode (-q) - Suppress banner for CI/CD pipelines
  • 🧹 Reduced false positives - Improved secrets detection with entropy filtering

Why the Rewrite?

  1. Performance - Go provides 10x faster scanning with goroutines
  2. Modern Threats - Incorporates 2024-2025 attack patterns
  3. Enterprise Ready - SARIF output, exit codes, single binary distribution
  4. Extensibility - Clean plugin architecture for custom scanners
  5. Maintainability - Type safety, better error handling, easier to contribute

📦 Installation

Option 1: Download Pre-built Binary (Recommended)

Pre-compiled binaries are automatically built and released via GitHub Actions for every version tag.

Supported Platforms: - Linux: amd64, arm64, 386 - macOS: amd64 (Intel), arm64 (Apple Silicon) - Windows: amd64, arm64, 386 - FreeBSD: amd64

Linux (amd64)

curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-linux-amd64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/

Linux (arm64)

curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-linux-arm64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/

macOS (Intel)

curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-darwin-amd64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/

macOS (Apple Silicon)

curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-darwin-arm64 -o dockerscan
chmod +x dockerscan
sudo mv dockerscan /usr/local/bin/

Windows (PowerShell)

Invoke-WebRequest -Uri "https://github.com/cr0hn/dockerscan/releases/latest/download/dockerscan-windows-amd64.exe" -OutFile "dockerscan.exe"

Verify Download (Optional but Recommended)

# Download checksums
curl -L https://github.com/cr0hn/dockerscan/releases/latest/download/checksums.txt -o checksums.txt

# Verify (Linux/macOS)
sha256sum -c checksums.txt --ignore-missing

Option 2: Build from Source

# Clone repository
git clone https://github.com/cr0hn/dockerscan
cd dockerscan/dockerscan-v2

# Build
make build

# Install
sudo make install

# Or build manually
go build -o bin/dockerscan ./cmd/dockerscan

Option 3: Go Install

go install github.com/cr0hn/dockerscan/v2/cmd/dockerscan@latest

🚀 Quick Start

First-Time Setup

Before scanning, download the CVE database (updated daily, ~30MB compressed):

# Download latest CVE database from GitHub
dockerscan update-db

Tip: The database is updated daily via GitHub Actions. Run update-db periodically to get the latest CVE data.

Basic Scan

# Scan a Docker image
dockerscan nginx:latest

# Scan with specific scanners
dockerscan --scanners cis,secrets ubuntu:22.04

# Scan and save reports
dockerscan alpine:latest --output /tmp/reports

# Quiet mode (suppress banner)
dockerscan -q nginx:latest

Example Output

╔══════════════════════════════════════════════════════════════════════════╗
║   ██████╗  ██████╗  ██████╗██╗  ██╗███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗   ██╗
║   ██╔══██╗██╔═══██╗██╔════╝██║ ██╔╝██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗  ██║
║   ██║  ██║██║   ██║██║     █████╔╝ █████╗  ██████╔╝███████╗██║     ███████║██╔██╗ ██║
║   ██║  ██║██║   ██║██║     ██╔═██╗ ██╔══╝  ██╔══██╗╚════██║██║     ██╔══██║██║╚██╗██║
║   ██████╔╝╚██████╔╝╚██████╗██║  ██╗███████╗██║  ██║███████║╚██████╗██║  ██║██║ ╚████║
║                                                                                        ║
║                Advanced Docker Security Scanner v2.0.0                                ║
║                                                                                        ║
║   Author:     Daniel Garcia (cr0hn)                                                   ║
║   Website:    https://cr0hn.com                                                       ║
╚══════════════════════════════════════════════════════════════════════════════════════╝

🔍 Scanning image: nginx:latest

═══════════════════════════════════════════════════════════════════
                         SCAN RESULTS
═══════════════════════════════════════════════════════════════════

📊 Summary:
   Total Findings: 47
   Duration: 2.3s

🔴 By Severity:
   Critical: 8
   High:     15
   Medium:   18
   Low:      6

📁 By Category:
   CIS-Benchmark:      12
   Secrets:            8
   Supply-Chain:       5
   Vulnerability:      10
   Runtime-Security:   12

📄 JSON report saved to: dockerscan-report.json
📄 SARIF report saved to: dockerscan-report.sarif

📖 Usage

Command Line Options

```bash dockerscan [COMMAND] [OPTIONS]

Commands: scan Scan a Docker image (default) update-db Download or update the CVE database Options: --from-file

Options: -h, --help Show help message -v, --version Show version -q, --quiet Suppress banner output (quiet mode) --scanners SCANNERS Comma-separated list of scanners to run (default: all) Options: cis,secrets,supplychain,vulnerabilities,runtime --output DIR Output directory for reports (default: .) --only-critical Show only critical/high severity findings --verbose Verbose output

Authent

Extension points exported contracts — how you extend this code

Scanner (Interface)
Scanner is the interface that all security scanners must implement This makes the system highly extensible - new scanner
internal/scanner/scanner.go

Core symbols most depended-on inside this repo

Close
called by 34
internal/cvedb/db.go
Name
called by 18
internal/scanner/scanner.go
NewBaseScanner
called by 15
internal/scanner/scanner.go
NewRuntimeScanner
called by 15
internal/scanner/runtime/runtime.go
Verbose
called by 14
internal/logger/logger.go
Debug
called by 14
internal/logger/logger.go
hasFlag
called by 14
cmd/dockerscan/main.go
Register
called by 13
internal/scanner/scanner.go

Shape

Function 194
Method 117
Struct 65
Interface 1
TypeAlias 1

Languages

Go100%

Modules by API surface

pkg/docker/client.go34 symbols
internal/scanner/cis/cis.go22 symbols
internal/report/sarif.go19 symbols
internal/scanner/vulnerabilities/vulnerabilities.go18 symbols
cmd/dockerscan/main.go18 symbols
internal/scanner/scanner.go16 symbols
cmd/nvd2sqlite/main.go16 symbols
internal/scanner/runtime/runtime_test.go15 symbols
internal/scanner/runtime/runtime.go14 symbols
pkg/auth/auth.go13 symbols
internal/scanner/supplychain/supplychain_test.go13 symbols
internal/scanner/secrets/secrets_test.go13 symbols

Datastores touched

(mongodb)Database · 1 repos
(mysql)Database · 1 repos
mydbDatabase · 1 repos
mydbDatabase · 1 repos
mydbDatabase · 1 repos

For agents

$ claude mcp add dockerscan \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page