Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images

DockSec is an open source security tool born out of frustration and raised by Advait Patel.

The frustration originates in the growing recognition that AI is excellent at finding vulnerabilities, but poor at explaining how to fix them. “On a typical day I would scan a container image and get back 200+ CVEs. Most were noise, a few were real, but there was no easy way to tell a developer ‘fix these three lines and you are good’. Security tools are great at finding problems but bad at helping people fix them.”

Perhaps because of this difficulty in fixing known vulnerabilities in a timely fashion, software images are entering Docker still containing unfixed vulnerabilities. “I scanned 15 images and found 183 vulnerabilities rated with high severity and a further 15 rated as critical,” he continues. “For example, HashiCorp Vault – a tool built specifically to secure secrets – shipped with 40 vulnerabilities in its own image.”

The threat is that when vulnerabilities are included within the images, they may automatically be run by Docker and even included within the CI/CD pipeline. This is a threat Patel set himself to solve by developing an open source tool he calls DockSec (recently adopted by OWASP into its official project portfolio).