AI can identify vulnerabilities but often fails to explain how to fix them. Container images can enter Docker with unfixed vulnerabilities, including high and critical issues, and those vulnerabilities can be pulled into CI/CD workflows. DockSec addresses the fixing gap without adding a new scanner by running Trivy, Hadolint, and Docker Scout locally. An LLM correlates findings across the tools to remove duplicates and rank issues by real impact. Scanning runs locally and only scan metadata is sent to the LLM, never image content. The LLM can be selected from OpenAI, Anthropic, or Google Gemini and run locally via Ollama. Output provides plain-English explanations and exact Dockerfile fixes in Markdown.
"On a typical day I would scan a container image and get back 200+ CVEs. Most were noise, a few were real, but there was no easy way to tell a developer 'fix these three lines and you are good'. Security tools are great at finding problems but bad at helping people fix them."
"I scanned 15 images and found 183 vulnerabilities rated with high severity and a further 15 rated as critical. For example, HashiCorp Vault - a tool built specifically to secure secrets - shipped with 40 vulnerabilities in its own image."
"DockSec includes no new vulnerability scanner, but simply runs Trivy, Hadolint, and Docker Scout locally. Then comes the new functionality: an LLM correlates the findings across all three to remove duplicates and rank by real impact. The scanning is done locally, and only the scan metadata goes to the LLM - never the image content."
"Everything is done locally. The LLM used can be selected from OpenAI, Anthropic, and Google Gemini, and run locally through Ollama. Its function is to generate plain-English explanations and exact Dockerfile fixes delivered via Markdown, the lingua franca for developers."
#container-security #vulnerability-management #llm-assisted-remediation #dockerfile-hardening #open-source-tools
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]