Open source · MIT License

Secure your Dockerfiles
before they ship

A fast, lightweight security scanner that catches vulnerabilities, secrets, and misconfigurations in Dockerfiles. No Docker daemon required.

View on GitHub Get Started
brew install nickciolpan/tap/docker-scan-lite
$ docker-scan-lite -f Dockerfile Docker Scan Lite Results Dockerfile: Dockerfile Scanned at: 2026-03-24 10:30:45 Summary Total Issues: 8 High: 3 Medium: 4 Low: 1 Base Images ⚠️ ubuntu:16.04 (line 1) - Base image may be outdated Environment Variables ⚠️ DATABASE_PASSWORD=*** (line 5) ⚠️ API_KEY=*** (line 6) Security Issues ⚠️ [HIGH] Sensitive environment variable 'DATABASE_PASSWORD' found (line 5) ⚠️ [HIGH] Container running as root user (line 17) ⚠️ [MEDIUM] Port 22 may be vulnerable (line 20) ⚠️ [MEDIUM] Potentially insecure command detected (line 13) ⚠️ [LOW] Package installation without version pinning (line 10) Review the issues above and consider fixing them to improve security.

Why docker-scan-lite?

Fast, focused, and zero-dependency scanning for your CI/CD pipelines

Lightning fast

Static analysis on the Dockerfile itself. No image pulling, no daemon required. Scans complete in milliseconds.

🔎

Comprehensive checks

Detects outdated images, exposed secrets, insecure commands, vulnerable ports, missing HEALTHCHECK, and more.

🛠

CI/CD ready

JSON, SARIF, and text output. Exit codes for pipeline gating. First-class GitHub Action support.

🎯

Multi-stage aware

Understands multi-stage builds and tracks issues per stage. Knows the difference between builder and runtime.

📦

Single binary

One binary, zero dependencies. Install via Homebrew, download from releases, or build from source in seconds.

🔐

Secret detection

Regex-based scanning for AWS keys, GitHub tokens, JWTs, private keys, database URLs, and generic credentials.

What it scans for

12+ categories of Dockerfile security checks

🔒

Hardcoded secrets

AWS keys, GitHub tokens, JWTs, private keys, database connection strings, generic passwords

Root user

Detects containers running as root or UID 0, and warns when no USER instruction is present

📦

Outdated base images

38+ known outdated image:tag combinations across Ubuntu, Debian, Alpine, Node, Python, and more

🔌

Vulnerable ports

SSH (22), Telnet (23), databases (3306, 5432, 27017), Redis (6379), RDP (3389), and more

💻

Insecure commands

curl -k, wget --no-check-certificate, chmod 777, sudo su, SSH without host key checking

🌎

Sensitive env vars

PASSWORD, SECRET, API_KEY, TOKEN, and 30+ patterns including cloud provider credentials

📦

Unpinned packages

apt-get, apk, yum, pip, npm, and gem installs without version pinning

🔁

ADD with remote URLs

Flags ADD instructions fetching remote files — recommends COPY + curl for better security

💚

Missing HEALTHCHECK

Warns when no HEALTHCHECK instruction is found for container orchestration readiness

🏷

Latest tag usage

Flags base images using the implicit :latest tag, which can cause unpredictable builds

🛠

Multi-stage tracking

Tracks build stages and associates findings with the correct stage context

🔊

SHELL instruction

Analyzes custom SHELL instructions for non-standard or potentially insecure shells

Get started

Install in seconds, scan immediately

Installation

Choose your preferred method:

# Homebrew (macOS) brew install nickciolpan/tap/docker-scan-lite # Go install go install github.com/nickciolpan/docker-scan-lite@latest # Linux one-liner curl -sSL https://raw.githubusercontent.com/nickciolpan/docker-scan-lite/main/scripts/install.sh | bash # Build from source git clone https://github.com/nickciolpan/docker-scan-lite cd docker-scan-lite && make build

CLI usage

Flexible output and filtering options:

# Scan a Dockerfile docker-scan-lite -f Dockerfile # JSON output for CI parsing docker-scan-lite -f Dockerfile -j # SARIF for GitHub Code Scanning docker-scan-lite -f Dockerfile --sarif # Filter by severity docker-scan-lite -f Dockerfile --severity medium # Fail on high severity (for CI) docker-scan-lite -f Dockerfile --exit-code high

GitHub Action

Add to any workflow in 30 seconds

Dockerfile Security Check

Scans your Dockerfile on every push and PR. Fails the build if high-severity issues are found.

# .github/workflows/docker-security.yml name: Dockerfile Security on: [push, pull_request] jobs: scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Scan Dockerfile uses: nickciolpan/docker-scan-lite@v1 with: dockerfile: Dockerfile fail-on: high # Optional: Upload SARIF to GitHub Security tab - name: Scan with SARIF uses: nickciolpan/docker-scan-lite@v1 id: scan with: dockerfile: Dockerfile format: sarif fail-on: '' - name: Upload SARIF uses: github/codeql-action/upload-sarif@v3 with: sarif_file: scan-results.sarif