Free Online Security Tool
Paste any Dockerfile to check for security vulnerabilities in seconds. Detects outdated base images with known CVEs, root user execution, hardcoded secrets, exposed ports, and dangerous instructions. No CLI, no Docker daemon, no login required.
// Paste Dockerfile contents
Most vulnerability scanners require installing a CLI tool, running a Docker daemon, or building the image first. This tool performs static Dockerfile analysis — catching security issues before the image is even built, directly in your browser.
Click Load Sample Dockerfile above to see the scanner in action with a pre-built example containing multiple vulnerabilities across all severity levels.
A Docker image vulnerability is a security weakness embedded inside a container image that can be exploited to compromise the container, its host, or the broader infrastructure. Unlike application vulnerabilities in source code, image vulnerabilities often come from the environment the application runs in — the base OS, the installed packages, the runtime configuration, or the instructions used to build the image.
Container image vulnerabilities fall into several categories. Base image CVEs are the most common — an outdated Ubuntu or Node.js base image may contain dozens of unpatched known vulnerabilities from its package repositories. Configuration vulnerabilities include running as root, exposing sensitive ports, or using hardcoded credentials. Supply chain vulnerabilities arise from pulling remote scripts or using untrusted registries without verification.
The distinction between a Docker image vulnerability and a running container vulnerability matters for remediation. Image vulnerabilities are fixed by modifying the Dockerfile and rebuilding. Runtime vulnerabilities — where an attacker has already exploited a weakness — require incident response. This tool focuses on catching image vulnerabilities before deployment, at the Dockerfile level.
Every instruction in a Dockerfile creates a new read-only layer in the final image. A Docker image is a stack of these layers, and vulnerabilities can be introduced at any of them. An image layer vulnerability assessment examines each layer for security risks — not just the final state of the container.
This tool checks Dockerfiles against 14 security rules covering the most common vulnerability categories found in production container images.
Detects EOL images: ubuntu:18.04, node:14, node:12, python:3.7, python:3.8, debian:stretch, centos:7. These no longer receive security patches.
Flags containers with no USER directive. The default Docker user is root — container escape means host root access.
Scans ENV for patterns matching PASSWORD, SECRET, API_KEY, TOKEN, PRIVATE_KEY. These are baked into every image layer.
Detects curl URL | bash and wget URL | bash patterns — the most common supply chain attack vector in Dockerfiles.
Detects :latest usage. Non-deterministic builds can silently introduce new CVEs without warning on the next pull.
Flags EXPOSE 22 (SSH), 3306 (MySQL), 5432 (PostgreSQL), 6379 (Redis), 27017 (MongoDB), 9200 (Elasticsearch).
Flags ADD https:// — downloads remote content at build time without integrity verification. A supply chain risk.
Flags Dockerfiles without a HEALTHCHECK directive. Orchestrators cannot detect broken containers without one.
Scanning is one step in a broader security posture. Here are the most impactful practices for reducing Docker image vulnerability exposure across the build pipeline.
FROM node:20-alpine, use FROM node:20.11.0-alpine3.19 or even FROM node@sha256:... for fully reproducible builds that can't be silently changed upstream.
RUN addgroup -S app && adduser -S app -G app and set USER app before CMD or ENTRYPOINT.
docker secret create), or Kubernetes secrets. Secrets in ENV variables are baked into image layers and visible in docker history to anyone with image access.
Trivy and Snyk are the industry standards for Docker image vulnerability scanning — they query live CVE databases and scan actual image layers. This tool is a free, zero-setup alternative for Dockerfile-level static analysis, ideal for pre-build checks and quick audits.
| Feature | This Tool | Trivy | Snyk Container |
|---|---|---|---|
| Requires CLI install | ✓ No install | ✗ CLI required | ✗ CLI / account |
| Requires Docker daemon | ✓ No daemon | ✗ Needs Docker | ✗ Needs Docker |
| Works on unbuilt Dockerfile | ✓ Yes | ✗ Needs built image | ✗ Needs built image |
| Live CVE database | ✗ Pattern-based | ✓ Full CVE DB | ✓ Full CVE DB |
| Package-level CVE scan | ✗ Not available | ✓ Full scan | ✓ Full scan |
| Login required | ✓ No account | ✓ No account | ✗ Account needed |
| Free | ✓ Always free | ✓ Open source | — Free tier limited |
Need package-level CVE scanning against a live vulnerability database? Use Trivy — it's open source and the industry standard. Need a quick Dockerfile audit before committing or sharing? This tool is faster with zero setup.
Common questions from developers and security engineers dealing with container security — the kind of discussions found on Reddit, DevSecOps forums, and Docker community channels.
What's the fastest way to check a Dockerfile for vulnerabilities before pushing to a registry?
For a quick pre-commit check: paste the Dockerfile into this browser scanner. It catches the most common issues — EOL base images, root user, hardcoded secrets, exposed ports — in seconds with no setup. For a full CVE scan before pushing to a registry, use trivy image --severity HIGH,CRITICAL myimage:latest as part of your CI/CD pipeline. The two approaches are complementary, not competing.
How do I know if my base image has known CVEs without pulling it?
Check the base image version against its official end-of-life date. Ubuntu 18.04, Node.js 14, Python 3.7, and Debian Stretch are all past EOL and receive no security patches. Any image built on these bases inherits all their unpatched vulnerabilities. The Docker Hub page for official images lists active CVE counts — or paste your FROM line into this scanner to get an instant flag.
Why does my Docker image fail security scans even after I update the base image?
Updating the base image fixes base-image CVEs but not package-level CVEs introduced by your own RUN instructions. If you install packages with apt-get install without pinning versions, you may be installing vulnerable package versions. Also check: are you running as root? Do you have hardcoded credentials? Are you exposing database ports? Each of these is flagged independently from the base image.
Is it safe to use Docker Hub images without scanning them?
Official Docker Hub images (marked with the blue "Official Image" badge) are regularly scanned and maintained. However, "popular" community images without the official badge should always be scanned before use. Even official images can have CVEs between update cycles. Docker Hub's vulnerability scanning tab shows the current CVE count for each image tag — always check before pulling, especially for older tags.
What's the difference between a Dockerfile vulnerability scanner and a runtime scanner like Falco?
A Dockerfile scanner (like this tool or Trivy) analyzes the image before it runs — it finds CVEs in packages, misconfigurations, and dangerous instructions at build time. A runtime scanner like Falco or Sysdig monitors container behavior while it's running — detecting unexpected syscalls, file access, or network connections that indicate an active attack. Both are necessary: build-time scanning prevents deploying vulnerable images, runtime scanning catches what slips through and detects post-exploitation activity.
Should I scan Docker images in CI/CD even if I scanned the Dockerfile already?
Yes. Dockerfile analysis catches configuration and base image issues at write time. But by the time your CI/CD pipeline runs, the base image may have changed (if not pinned), new CVEs may have been disclosed, and your dependency lock files may have resolved to vulnerable package versions. Run both: static Dockerfile analysis early (this tool), and a full image scan (Trivy) after the image is built, as a pipeline gate before pushing to your registry.