DockSec is an open source security tool born out of frustration and raised by Advait Patel.
The frustration originates in the growing recognition that AI is excellent at finding vulnerabilities, but poor at explaining how to fix them. “On a typical day I would scan a container image and get back 200+ CVEs. Most were noise, a few were real, but there was no easy way to tell a developer ‘fix these three lines and you are good’. Security tools are great at finding problems but bad at helping people fix them.”
Perhaps because of this difficulty in fixing known vulnerabilities in a timely fashion, software images are entering Docker still containing unfixed vulnerabilities. “I scanned 15 images and found 183 vulnerabilities rated with high severity and a further 15 rated as critical,” he continues. “For example, HashiCorp Vault – a tool built specifically to secure secrets – shipped with 40 vulnerabilities in its own image.”
The threat is that when vulnerabilities are included within the images, they may automatically be run by Docker and even included within the CI/CD pipeline. This is a threat Patel set himself to solve by developing an open source tool he calls DockSec (recently adopted by OWASP into its official project portfolio).
The difficulty is not in finding the vulnerabilities, but in helping developers fix them. DockSec includes no new vulnerability scanner, but simply runs Trivy, Hadolint, and Docker Scout locally. Then comes the new functionality: an LLM correlates the findings across all three to remove duplicates and rank by real impact. The scanning is done locally, and only the scan metadata goes to the LLM – never the image content.
Everything is done locally. The LLM used can be selected from OpenAI, Anthropic, and Google Gemini, and run locally through Ollama. Its function is to generate plain-English explanations and exact Dockerfile fixes delivered via Markdown, the lingua franca for developers. DockSec closes the gap between vulnerability detection and vulnerability fixing.
Patel is the architect and lead developer of DockSec. But the project itself has grown beyond just himself. “OWASP recognition and adoption as an OWASP incubator project was a turning point,” he explains. “Before that it was a personal project people found through GitHub. After OWASP, enterprise teams started taking it seriously because it now sits inside a trusted, vetted ecosystem. Contributions also picked up, more pull requests, better issue quality, and security folks started suggesting features instead of just filing bugs. With OWASP comes a responsibility to keep it open, vendor-neutral, and useful for the community first. That is a good constraint to design under.”
It is now community-driven open source, with Patel at the forefront. Downloads are approaching 18,000, and pull requests stand at 90. And it is an example of the purity of open source development. Patel conceived and created it in his own spare time. It is free to download and free to use; and he makes no money from it.
But it is more than just a single project. It is a design methodology that can be adapted to other areas where AI finds the problems but doesn’t help in fixing them.
“DockSec can definitely be adapted. It is not just a security scanner that scans your code, that scans your architecture and scans your infrastructure. It is a bridge between finding and fixing. We have tons and tons of tools in the market that act as a scanner, as a tool that will detect the gaps; but there are few that will lead you toward the remediation part, toward fixing that gap”, explains Patel.
“DockSec is one of them. If people, or the industry, or a company wants to adapt DockSec into their SOC automation, they can definitely do so. Using the findings of their scanners, the DockSec methodology could be used to fix the findings in a timely fashion.”
Related: From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI
Related: DockerDash Flaw in Docker AI Assistant Leads to RCE, Data Theft
Related: Docker Makes 1,000 Hardened Images Free and Open Source
Related: Exposed Docker APIs Likely Exploited to Build Botnet
