DockSec is an OWASP Incubator Project that combines three container security scanners with a language-model layer for explanation and remediation. Created by Advait Patel, the Python tool runs Trivy, Hadolint, and Docker Scout against a developer’s Dockerfile and image, correlates the findings, returns a 0-100 security score, and proposes line-specific fixes.
DockSec requires Python 3.12 and ships under the MIT license. It supports four language-model backends: OpenAI, Anthropic, Google Gemini, and local models served through Ollama, with a scan-only mode that operates offline and requires no API key.
A workflow gap between scanning and fixing
The container security tooling market splits into two camps, in Patel’s account. “The container security landscape sorts into two buckets right now,” he told Help Net Security. “Pure scanners (Trivy, Grype, Clair, Snyk Container, Anchore) are good at finding things and bad at helping you fix them. You get a list of 200 CVEs and the developer’s job is to figure out which 3 matter.”
Enterprise container security platforms occupy the second camp. Patel cites Prisma Cloud, Aqua, and Sysdig as products built for security teams with budget and headcount, with operational weight and deployment cost to match.
DockSec targets the seam between those two categories. “The workflow gap between ‘scanner found something’ and ‘developer fixes it.’ That gap is where most container vulnerabilities go to die,” Patel said. “A team gets the scan report, the developer either ignores it or spends half a day Googling each CVE, and the issues either get fixed quietly or get filed under ‘accepted risk’ and forgotten.”
The remediation output reflects that target. DockSec returns code rewrites and contextual explanation, with reports exporting to HTML, PDF, JSON, CSV, and Markdown. Patel said the output takes the form “line 14 of your Dockerfile is the problem, here is the corrected version, here is why it matters in your specific image.”
Position against general-purpose AI assistants
The premise of an AI-assisted scanner raises a question about general-purpose coding assistants such as GitHub Copilot, Cursor, and Claude Code. Patel addressed the overlap directly. “If you mean Copilot, Cursor, Claude Code, and the like, then yes, they will eventually absorb a lot of what DockSec does at the surface layer,” he said. “A developer will ask their assistant ‘is this Dockerfile secure’ and get a reasonable answer most of the time. That part of the workflow is going to be commoditized, and pretending otherwise would be silly.”
Two defenses keep a dedicated layer relevant in Patel’s account. The first is the deterministic scanner foundation. A coding assistant can flag hygiene issues like running a container as root. Awareness of a specific CVE in a base-layer library depends on a scanner having identified it. Patel cites openssl 1.1.1k as the kind of vulnerability that requires scan data to surface.
The second defense is governance. “‘Copilot said it was fine’ does not survive an auditor’s first question,” Patel said. “The dedicated layer exists because security has to live inside a governance envelope that general-purpose tools are not built for.”
Competitive landscape
For Patel, the larger commercial risk sits with established container security platforms. He cited Snyk, Aqua, Sysdig, and Prisma as the companies most likely to bundle equivalent reasoning capabilities into their existing licenses and offer them as a checkbox feature. “That is the real competitive risk,” he said.
The project’s target audience is developers operating without a platform deployment and without a security budget line. Patel called that population the lane the project is trying to hold.
The roadmap on GitHub lists Docker Compose multi-service scanning, Kubernetes manifest analysis, a GitHub Action for automated pull request review, and custom security policy enforcement as planned features.
The project’s purpose, in Patel’s view, is alignment of artifacts between roles. “I am trying to make sure the security team and the developer are looking at the same artifact and able to act on it the same day,” he said.
DockSec is available for free on GitHub.
Must read:
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!
