Run Trivy on a fresh Node.js image and you will get 847 vulnerabilities. Most teams glance at the list, note that half are labeled “CRITICAL,” and ship anyway — not because they are reckless, but because there is no straight line from a CVE ID to a changed line in a Dockerfile. DockSec, now an official OWASP Incubator Project, is built specifically around that gap. It orchestrates three scanners, runs an LLM over the combined results, and hands you a 0-100 security score with line-specific fixes written in plain English.
The Problem DockSec Is Solving #
Scanner fatigue is not a developer failing — it is a tool design failure. Research consistently shows that 87% of production container images contain critical or high CVEs, but only about 15% of those are in packages that ever load at runtime. The realistic fix list is far shorter than any raw scan output suggests, yet most tools do not make that distinction. One security engineer described it directly: “DockSec targets the gap between ‘scanner found something’ and ‘developer fixes it’ — which is where most container vulnerabilities go to die.”
Trivy, Grype, and Docker Scout are excellent at finding things. They are not built to help you fix them. DockSec treats finding as table stakes and remediation as the actual product.
How DockSec Works #
DockSec runs three tools in sequence against your Dockerfile and image: Trivy (OS packages and language dependency CVEs), Hadolint (Dockerfile best-practice linting), and Docker Scout (vulnerability database cross-reference). The combined output goes to an LLM — critically, only the scan metadata, not your image or source code — which correlates findings across all three engines, removes duplicates, and ranks by real-world impact.
The result is not another flat CVE list. It is a ranked set of issues with “Why it matters” context and exact Dockerfile fixes at the line level. A typical scan output looks like this:
Security Score: 42/100
Critical Issues:
[Dockerfile line 8] Running as root user
Why it matters: A compromised container process inherits root on the host
Fix: RUN useradd -m appuser && USER appuser
[Dockerfile line 3] Vulnerable base image (ubuntu:20.04 — 127 known CVEs)
Fix: FROM ubuntu:22.04
Full report: myapp_report.html
That is actionable in a way that a 200-line Trivy JSON dump is not.
Getting Started #
Installation is one line:
pip install docksec
The recommended scan combines a Dockerfile with a built image:
docksec Dockerfile -i myapp:latest
If you want to scan an image without a Dockerfile, or a Dockerfile alone, both work as standalone commands. Full options are on the PyPI page. DockSec requires Python 3.12 or later.
LLM Options, Including Fully Offline #
DockSec supports four LLM backends: OpenAI, Anthropic, Google Gemini, and Ollama for local inference. For teams in regulated environments or with strict data residency requirements, the Ollama path means scan, analysis, and remediation all stay on your hardware — nothing leaves the network.
If you want to skip the LLM entirely, the --scan-only
flag runs all three scanners and produces the security score without any AI narrative. No API key required:
docksec Dockerfile --scan-only
The score and raw findings come through; the plain-English explanations do not. For a pipeline gate that just needs a pass/fail signal, that is enough.
Using DockSec as a CI/CD Gate #
DockSec returns standard exit codes, which means it drops cleanly into any pipeline. A GitHub Actions step looks like this:
- name: DockSec security scan
run: |
pip install docksec
docksec Dockerfile -i ${{ env.IMAGE }}:${{ github.sha }}
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
A non-zero exit code fails the workflow. DockSec is also available as a pre-built action on the GitHub Actions marketplace if you prefer not to wire it up manually.
Where DockSec Falls Short #
The tool is genuinely useful, but it does not do everything Snyk does. There are no automatic fix pull requests — DockSec tells you what to change; it does not open the PR for you. The 0-100 scoring algorithm is not publicly documented, so you cannot fully audit how the number is calculated. With around 187 GitHub stars compared to Trivy’s 20,000-plus, the community is small and the ecosystem around it is still early.
Python 3.12 is a hard requirement. If your build environment pins to an older version, that is a friction point worth knowing before you commit to integrating it.
Who Should Use It #
If you are running raw Trivy in CI and ignoring most of what it surfaces, DockSec is a direct quality upgrade. You get the same detection coverage plus a prioritized remediation plan. If you are already paying for Snyk Container and using its auto-fix PRs and reachability analysis, DockSec does not add enough to justify switching.
The sweet spot is teams that want guided container security without a commercial platform bill, or teams in regulated environments that need everything to stay on-premises. The OWASP governance also matters here: this is not a hobby project that disappears when the creator moves on. The project has institutional backing and a maintenance commitment behind it.
At 17,000 PyPI downloads and growing, DockSec is early but not experimental. It solves a problem that has been quietly frustrating container developers for years, and it does so with a single pip install
and no vendor lock-in.