βββββββ βββββββ ββββββββββ βββββββββββββββββββ βββββββ
ββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββ
βββ ββββββ ββββββ βββββββ ββββββββββββββ βββ
βββ ββββββ ββββββ βββββββ ββββββββββββββ βββ
ββββββββββββββββββββββββββββ βββββββββββββββββββββββββββ
βββββββ βββββββ ββββββββββ βββββββββββββββββββ βββββββ
Docker security audit CLI that checks containers, images, and Dockerfiles against CIS Docker Benchmark v1.6.0.
This is a quick overview β security theory, architecture, and full walkthroughs are in the learn modules.
- Scans running containers, images, Dockerfiles, and compose files for misconfigurations
- Checks against CIS Docker Benchmark v1.6.0 with severity scoring
- Detects privileged containers, dangerous capabilities, socket mounts, and namespace sharing
- Outputs terminal (colored), JSON, SARIF (GitHub Security tab), and JUnit formats
- Supports severity filtering and fail-on-critical for CI/CD pipelines
- Validates AppArmor/seccomp profiles, resource limits, and user namespace remapping
go install github.com/CarterPerez-dev/docksec/cmd/docksec@latest
docksec scanTip
This project uses just as a command runner. Type just to see all available commands.
Install: curl -sSf https://just.systems/install.sh | bash -s -- --to ~/.local/bin
docksec scan # scan all targets with colored output
docksec scan --format sarif -o results.sarif # export SARIF for GitHub Security tab
docksec scan --severity critical,high # filter by severity
docksec scan --fail-on critical # exit non-zero for CI pipelinesThis project includes step-by-step learning materials covering security theory, architecture, and implementation.
| Module | Topic |
|---|---|
| 00 - Overview | Prerequisites and quick start |
| 01 - Concepts | Security theory and real-world breaches |
| 02 - Architecture | System design and data flow |
| 03 - Implementation | Code walkthrough |
| 04 - Challenges | Extension ideas and exercises |
AGPL 3.0