Page:
Docker Security Audit
Pages
API Rate Limiter
API Security Scanner
Base64 Tool
Bug Bounty Platform
Caesar Cipher
Certification Roadmaps
Contributing
DNS Lookup
Docker Security Audit
Encrypted P2P Chat
Getting Started
Home
Keylogger
Metadata Scrubber Tool
Network Traffic Analyzer
Project Roadmap
SIEM Dashboard
Simple Port Scanner
Simple Vulnerability Scanner
Tools and Resources
1
Docker Security Audit
CarterPerez-dev edited this page 2026-02-11 04:56:38 -05:00
Docker Security Audit
Go-based Docker environment security scanner validating against CIS Docker Benchmark.
Overview
docksec is a CLI tool that scans Docker environments for security misconfigurations. It analyzes running containers, daemon settings, images, Dockerfiles, and docker-compose files against the CIS Docker Benchmark v1.6.0, detecting issues like privileged containers, dangerous capabilities, Docker socket mounts, and hardcoded secrets.
Status: Complete | Difficulty: Intermediate
Tech Stack
| Technology | Version | Purpose |
|---|---|---|
| Go | 1.23+ | Core language |
| Docker SDK | - | Container/image/daemon introspection |
| Cobra | - | CLI framework |
| moby/buildkit | - | Dockerfile AST parsing |
| errgroup | - | Concurrent scanning |
Output Formats
| Format | Purpose |
|---|---|
| Terminal | Human-readable colored output |
| JSON | Structured data for automation |
| SARIF 2.1.0 | GitHub Security tab integration |
| JUnit XML | CI/CD pipeline integration |
Features
Security Scanners
| Scanner | Target | Checks |
|---|---|---|
| Container | Running containers | Privileged mode, capabilities, mounts, namespaces, security profiles, resource limits |
| Daemon | Docker daemon | Insecure registries, ICC, user namespaces, experimental features |
| Image | Local images | USER instruction, secrets in history, base image tags |
| Dockerfile | Build files | USER instruction, ADD vs COPY, secrets in ENV/ARG, HEALTHCHECK |
| Compose | docker-compose.yml | Same as container checks for service definitions |
Advanced Features
- 41 Linux capabilities mapped with risk levels
- 200+ sensitive host path detection
- 80+ secret patterns with Shannon entropy analysis
- CIS Benchmark control mapping with scored/unscored distinction
- Severity filtering (INFO through CRITICAL)
- CI/CD fail-on threshold (
--fail-on medium) - Concurrent scanning with rate limiting
Architecture
cmd/docksec/main.go (Cobra CLI)
↓
internal/scanner/scanner.go (Orchestration)
↓ errgroup + rate limiter
┌──────────┬──────────┬──────────┬────────────┬───────────┐
│Container │ Daemon │ Image │ Dockerfile │ Compose │
│Analyzer │ Analyzer │ Analyzer │ Analyzer │ Analyzer │
└────┬─────┴────┬─────┴────┬─────┴─────┬──────┴─────┬────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
┌─────────────────────────────────────────────────────────┐
│ Rules Engine │
│ capabilities.go | paths.go | secrets.go │
│ (41 caps) | (200+ paths) | (80+ patterns) │
└───────────────────────────┬─────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────┐
│ CIS Benchmark Registry │
│ benchmark/controls.go (100+ controls) │
└───────────────────────────┬─────────────────────────────┘
↓
┌──────────┬──────────┬──────────┬──────────┐
│ Terminal │ JSON │ SARIF │ JUnit │
│ Reporter │ Reporter │ Reporter │ Reporter │
└──────────┴──────────┴──────────┴──────────┘
Quick Start
cd PROJECTS/intermediate/docker-security-audit
# Build
go build -o docksec ./cmd/docksec
# Scan all running containers
./docksec scan
# Scan specific targets
./docksec scan --target containers
./docksec scan --target daemon
./docksec scan --target images
# Scan a Dockerfile
./docksec scan --file Dockerfile
# Scan docker-compose
./docksec scan --file docker-compose.yml
# JSON output for automation
./docksec scan --output json --output-file results.json
# SARIF for GitHub Security
./docksec scan --output sarif --output-file results.sarif
# Fail CI on findings
./docksec scan --fail-on medium
Project Structure
docker-security-audit/
├── cmd/docksec/
│ └── main.go # CLI entry point
├── internal/
│ ├── analyzer/ # Security check implementations
│ │ ├── container.go # Running container checks
│ │ ├── daemon.go # Daemon config checks
│ │ ├── image.go # Image metadata checks
│ │ ├── dockerfile.go # Dockerfile static analysis
│ │ └── compose.go # docker-compose checks
│ ├── benchmark/
│ │ └── controls.go # CIS Docker Benchmark v1.6.0
│ ├── config/ # Runtime configuration
│ ├── docker/ # Docker SDK client wrapper
│ ├── finding/ # Finding data model
│ ├── proc/ # Linux /proc inspection
│ ├── report/ # Output formatters
│ ├── rules/ # Security rule data
│ └── scanner/ # Scan orchestration
├── Dockerfile
├── go.mod
└── go.sum
Development
# Run tests
go test ./...
# Build
go build -o docksec ./cmd/docksec
# Build with version info
go build -ldflags "-X main.version=1.0.0" -o docksec ./cmd/docksec
Source Code
Navigation
Beginner Projects
- Simple Port Scanner
- Keylogger
- Caesar Cipher
- DNS Lookup Tool
- Vulnerability Scanner
- Metadata Scrubber
- Network Traffic Analyzer
- Base64 Encoder/Decoder
Intermediate Projects
Advanced Projects
Guides
Resources
Progress: 14/60
©AngelaMos | CertGames.com | CarterPerez-dev | 2026