Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images

DockSec is an open source security tool born out of frustration and raised by Advait Patel. The frustration originates in the growing recognition that AI is excellent at finding vulnerabilities, but poor at explaining how to fix them. “On a typical day I would scan a container image and get back 200+ CVEs. Most were noise, a few were real, but there was no easy way to tell a developer ‘fix these three lines and you are good’. Security tools are great at finding problems but bad at helping people fix them.” Perhaps because of this difficulty in fixing known vulnerabilities in a timely fashion, software images are entering Docker still containing unfixed vulnerabilities. “I scanned 15 images and found 183 vulnerabilities rated with high severity and a further 15 rated as critical,” he continues. “For example, HashiCorp Vault – a tool built specifically to secure secrets – shipped with 40 vulnerabilities in its own image.” The threat is that when vulnerabilities are included within the images, they may automatically be run by Docker and even included within the CI/CD pipeline. This is a threat Patel set himself to solve by developing an open source tool he calls DockSec (recently adopted by OWASP into its official project portfolio). The difficulty is not in finding the vulnerabilities, but in helping developers fix them. DockSec includes no new vulnerability scanner, but simply runs Trivy, Hadolint, and Docker Scout locally. Then comes the new functionality: an LLM correlates the findings across all three to remove duplicates and rank by real impact. The scanning is done locally, and only the scan metadata goes to the LLM – never the image content. Everything is done locally. The LLM used can be selected from OpenAI, Anthropic, and Google Gemini, and run locally through Ollama. Its function is to generate plain-English explanations and exact Dockerfile fixes delivered via Markdown, the lingua franca for developers. DockSec closes the gap between vulnerability detection and vulnerability fixing. Patel is the architect and lead developer of DockSec. But the project itself has grown beyond just himself. “OWASP recognition and adoption as an OWASP incubator project was a turning point,” he explains. “Before that it was a personal project people found through GitHub. After OWASP, enterprise teams started taking it seriously because it now sits inside a trusted, vetted ecosystem. Contributions also picked up, more pull requests, better issue quality, and security folks started suggesting features instead of just filing bugs. With OWASP comes a responsibility to keep it open, vendor-neutral, and useful for the community first. That is a good constraint to design under.” It is now community-driven open source, with Patel at the forefront. Downloads are approaching 18,000, and pull requests stand at 90. And it is an example of the purity of open source development. Patel conceived and created it in his own spare time. It is free to download and free to use; and he makes no money from it. But it is more than just a single project. It is a design methodology that can be adapted to other areas where AI finds the problems but doesn’t help in fixing them.  “DockSec can definitely be adapted. It is not just a security scanner that scans your code, that scans your architecture and scans your infrastructure. It is a bridge between finding and fixing. We have tons and tons of tools in the market that act as a scanner, as a tool that will detect the gaps; but there are few that will lead you toward the remediation part, toward fixing that gap”, explains Patel. “DockSec is one of them. If people, or the industry, or a company wants to adapt DockSec into their SOC automation, they can definitely do so. Using the findings of their scanners, the DockSec methodology could be used to fix the findings in a timely fashion.” Related: From Trivy to Broad OSS Compromise: TeamPCP Hits Docker Hub, VS Code, PyPI Related: DockerDash Flaw in Docker AI Assistant Leads to RCE, Data Theft Related: Docker Makes 1,000 Hardened Images Free and Open Source Related: Exposed Docker APIs Likely Exploited to Build Botnet WRITTEN BY Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Supply Chain Security Crisis: Too Many Vulnerabilities, Too Little Visibility AI-Powered App Attacks Are Faster, More Frequent and Harder to Stop 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks Mythos Proves Potent in Vulnerability Discovery, Less Convincing Elsewhere Sweet Security Launches Agentic AI Red Teaming to Counter ‘Mythos Moment’ Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware Build Application Firewalls Aim to Stop the Next Supply Chain Attack Latest News 185,000 Likely Impacted by 7-Eleven Data Breach Anthropic Expands Claude’s Enterprise Security Governance With 28 New Integrations Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Watch on Demand: Threat Detection & Incident Response Summit – All Sessions Available Lithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register Entries Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands Ghost CMS Vulnerability Exploited to Hack Over 700 Websites Oncology Institute Discloses Data Breach Trending Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register Webinar: Third-Party Risk In Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register People on the Move Joe Chen has become Chief Technology Officer at Trellix. Usercentrics has named Pawan Hegde as COO and Elena Ignatova as CPTO. SecureAuth has named Mark van Oppen as Chief Revenue Officer. More People On The Move Expert Insights Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience Is The New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Is The SOC Obsolete, And We Just Haven’t Admitted It Yet? Many AI-first enterprises have already embraced sovereign architectures for general AI initiatives; cybersecurity—and the SOC—should be next. (Danelle Au) The Mythos Moment: Enterprises Must Fight Agents With Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Flipboard Reddit Whatsapp Email