A minimal, production-ready security scanner for Docker & containers
Detect misconfigurations in Dockerfiles, docker-compose files, and running containers
π³ GitHub | π Security Checks
To automate Docker security scanning and make it easier to catch misconfigurations before they reach production. All checks are defined in pure Python with zero shell dependencies, using the Docker SDK directly. I did it this way so that security teams don't need to f**k around with complex security tools.
About the Developer
Professional Background
I'm an experienced security-focused full stack engineer with a passion for DevSecOps, container security, and automation. I believe the best judge of a developer is their code, and this scanner reflects my philosophy: security should be automated, fast, and easy to integrate.This Docker scanner project showcases practical security engineering: why manually review Docker configs when you can build systems that catch issues automatically? The entire scanning pipeline is designed for maximum efficiency and maintainability.
- Dockerfile Analysis: Detects latest tags, missing USER directives, sensitive ports, improper ADD usage, and missing health checks
- Docker Compose Analysis: Identifies containers running as root, missing resource limits, privileged mode, port exposure issues, and unpinned versions
- Runtime Analysis: Scans running containers for privilege escalation, resource limits, host network usage, and sensitive mount points
- Multiple Output Formats: Beautiful Rich tables or JSON for CI/CD integration
- Zero Dependencies on Shell Commands: Pure Python using Docker SDK
git clone https://github.com/yourusername/docker-scanner.git
cd docker-scanner
pip install -r requirements.txtOr install directly:
pip install docker pyyaml rich pytestScan a Dockerfile:
python src/main.py --dockerfile path/to/DockerfileScan a docker-compose file:
python src/main.py --compose path/to/docker-compose.ymlScan running containers:
python src/main.py --runtimeScan everything:
python src/main.py --dockerfile Dockerfile --compose docker-compose.yml --runtimeOutput as JSON:
python src/main.py --dockerfile Dockerfile --jsonβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ βββββββ ββββββββββ ββββββββββββββββββ β
β ββββββββββββββββββββββββββββ ββββββββββββββββββββ β
β βββ ββββββ ββββββ βββββββ ββββββ ββββββββ β
β βββ ββββββ ββββββ βββββββ ββββββ ββββββββ β
β ββββββββββββββββββββββββββββ ββββββββββββββ βββ β
β βββββββ βββββββ ββββββββββ ββββββββββββββ βββ β
β β
β Container Misconfiguration Scanner v1.0 β
β Created by havoc β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Misconfiguration Report
ββββββββββββ³βββββββββββββββββββββββββ³ββββββββββββββββββββββββββ
β Severity β Check β Details β
β‘ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ©
β HIGH β Latest tag detected β Line 1: FROM ubuntu β
β MEDIUM β Missing USER directive β Container runs as root β
β LOW β Missing HEALTHCHECK β No health monitoring β
ββββββββββββ΄βββββββββββββββββββββββββ΄ββββββββββββββββββββββββββ
0: No misconfigurations found1: Misconfigurations detected or error occurred
Click to expand CI/CD examples
Use in your CI pipeline with JSON output:
python src/main.py --dockerfile Dockerfile --json > scan-results.json
if [ $? -ne 0 ]; then
echo "Security issues detected!"
exit 1
fiGitHub Actions example:
- name: Scan Docker Configuration
run: |
pip install -r requirements.txt
python src/main.py --dockerfile Dockerfile --compose docker-compose.ymlRun the test suite:
pytest tests/ -vAll 37 tests cover:
- Dockerfile security checks
- Docker Compose configuration validation
- Container runtime analysis
Click to see all security checks
- β Latest tag usage detection
- β Missing USER directive (root user)
- β Sensitive port exposure (22, 3389, 5432, 3306, 6379, 27017, 9200)
- β ADD vs COPY misuse
- β Missing HEALTHCHECK directive
- β Containers running as root
- β Missing memory limits
- β Missing CPU limits
- β Privileged mode enabled
- β Sensitive ports exposed
- β Unpinned image versions
- β Privileged containers
- β Containers without resource limits
- β Host network mode usage
- β Sensitive host path mounts (/, /etc, /var/run/docker.sock, /proc, /sys)
Click to see how to add custom checks
Edit src/checks/dockerfile_checks.py and add a new function:
def check_new_rule(lines: list[str]) -> list[dict]:
findings = []
for i, line in enumerate(lines):
if condition_met:
findings.append({
"severity": "HIGH",
"check": "New rule name",
"details": f"Line {i+1}: {line.strip()}"
})
return findingsRegister the check in the DOCKERFILE_CHECKS list at the bottom of the file.
Edit src/checks/compose_checks.py and add a new function:
def check_new_compose_rule(config: dict) -> list[dict]:
findings = []
services = config.get("services", {})
for name, service in services.items():
if condition_met:
findings.append({
"severity": "MEDIUM",
"check": "New compose rule",
"details": f"Service '{name}': issue description"
})
return findingsRegister the check in the COMPOSE_CHECKS list at the bottom of the file.
Edit src/checks/container_runtime_checks.py and add a new function:
def check_new_runtime_rule(container) -> list[dict]:
findings = []
if condition_met:
findings.append({
"severity": "HIGH",
"check": "New runtime rule",
"details": f"Container {container.name}: issue description"
})
return findingsRegister the check in the RUNTIME_CHECKS list at the bottom of the file.
- Python 3.10+
- Docker SDK for Python
- PyYAML
- Rich
- pytest (for testing)
Contributions welcome! Please ensure:
- All tests pass:
pytest tests/ -v - Code follows PEP8
- New checks include corresponding tests
- Functions remain pure and testable
Found a bug or have a feature request? Open an issue with:
- Clear description of the problem
- Steps to reproduce
- Expected vs actual behavior
- Your environment (Python version, OS)
This project uses the following open-source libraries:
Docker Scanner is licensed under MIT Β© 2025.
For information, see TLDR Legal > MIT
Expand License
The MIT License (MIT)
Copyright (c) 2025 Docker Scanner Contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sub-license, and/or sell
copies of the Software, and to permit persons to whom the Software is furnished
to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Β© Docker Scanner Contributors 2025
Licensed under MIT
Thanks for visiting :)
