-
-
Notifications
You must be signed in to change notification settings - Fork 149
Docker Security Audit
CarterPerez-dev edited this page Feb 11, 2026
·
1 revision
Go-based Docker environment security scanner validating against CIS Docker Benchmark.
docksec is a CLI tool that scans Docker environments for security misconfigurations. It analyzes running containers, daemon settings, images, Dockerfiles, and docker-compose files against the CIS Docker Benchmark v1.6.0, detecting issues like privileged containers, dangerous capabilities, Docker socket mounts, and hardcoded secrets.
Status: Complete | Difficulty: Intermediate
| Technology | Version | Purpose |
|---|---|---|
| Go | 1.23+ | Core language |
| Docker SDK | - | Container/image/daemon introspection |
| Cobra | - | CLI framework |
| moby/buildkit | - | Dockerfile AST parsing |
| errgroup | - | Concurrent scanning |
| Format | Purpose |
|---|---|
| Terminal | Human-readable colored output |
| JSON | Structured data for automation |
| SARIF 2.1.0 | GitHub Security tab integration |
| JUnit XML | CI/CD pipeline integration |
| Scanner | Target | Checks |
|---|---|---|
| Container | Running containers | Privileged mode, capabilities, mounts, namespaces, security profiles, resource limits |
| Daemon | Docker daemon | Insecure registries, ICC, user namespaces, experimental features |
| Image | Local images | USER instruction, secrets in history, base image tags |
| Dockerfile | Build files | USER instruction, ADD vs COPY, secrets in ENV/ARG, HEALTHCHECK |
| Compose | docker-compose.yml | Same as container checks for service definitions |
- 41 Linux capabilities mapped with risk levels
- 200+ sensitive host path detection
- 80+ secret patterns with Shannon entropy analysis
- CIS Benchmark control mapping with scored/unscored distinction
- Severity filtering (INFO through CRITICAL)
- CI/CD fail-on threshold (
--fail-on medium) - Concurrent scanning with rate limiting
cmd/docksec/main.go (Cobra CLI)
β
internal/scanner/scanner.go (Orchestration)
β errgroup + rate limiter
ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββββ¬ββββββββββββ
βContainer β Daemon β Image β Dockerfile β Compose β
βAnalyzer β Analyzer β Analyzer β Analyzer β Analyzer β
ββββββ¬ββββββ΄βββββ¬ββββββ΄βββββ¬ββββββ΄ββββββ¬βββββββ΄ββββββ¬βββββ
β β β β β
βΌ βΌ βΌ βΌ βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Rules Engine β
β capabilities.go | paths.go | secrets.go β
β (41 caps) | (200+ paths) | (80+ patterns) β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CIS Benchmark Registry β
β benchmark/controls.go (100+ controls) β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββ
β
ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ
β Terminal β JSON β SARIF β JUnit β
β Reporter β Reporter β Reporter β Reporter β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ
cd PROJECTS/intermediate/docker-security-audit
# Build
go build -o docksec ./cmd/docksec
# Scan all running containers
./docksec scan
# Scan specific targets
./docksec scan --target containers
./docksec scan --target daemon
./docksec scan --target images
# Scan a Dockerfile
./docksec scan --file Dockerfile
# Scan docker-compose
./docksec scan --file docker-compose.yml
# JSON output for automation
./docksec scan --output json --output-file results.json
# SARIF for GitHub Security
./docksec scan --output sarif --output-file results.sarif
# Fail CI on findings
./docksec scan --fail-on mediumdocker-security-audit/
βββ cmd/docksec/
β βββ main.go # CLI entry point
βββ internal/
β βββ analyzer/ # Security check implementations
β β βββ container.go # Running container checks
β β βββ daemon.go # Daemon config checks
β β βββ image.go # Image metadata checks
β β βββ dockerfile.go # Dockerfile static analysis
β β βββ compose.go # docker-compose checks
β βββ benchmark/
β β βββ controls.go # CIS Docker Benchmark v1.6.0
β βββ config/ # Runtime configuration
β βββ docker/ # Docker SDK client wrapper
β βββ finding/ # Finding data model
β βββ proc/ # Linux /proc inspection
β βββ report/ # Output formatters
β βββ rules/ # Security rule data
β βββ scanner/ # Scan orchestration
βββ Dockerfile
βββ go.mod
βββ go.sum
# Run tests
go test ./...
# Build
go build -o docksec ./cmd/docksec
# Build with version info
go build -ldflags "-X main.version=1.0.0" -o docksec ./cmd/docksecΒ©AngelaMos | CertGames.com | CarterPerez-dev | 2026