Docker Image Vulnerability Scanner

Paste your Dockerfile or image configuration to detect security vulnerabilities, outdated base images, dangerous instructions, exposed ports, and CVE-prone patterns. Free, client-side, no login required.

Dockerfile Analysis CVE Pattern Detection Base Image Check Root User Detection Exposed Ports Security Score Free · No Login

What Docker Vulnerabilities Does This Tool Detect?

Outdated Base Images

Detects EOL and known-vulnerable base images like ubuntu:18.04, node:14, python:3.8, debian:stretch, and centos:7.

Root User Execution

Flags containers running as root (no USER directive). Running as root is the most common Docker security mistake.

Unpinned "latest" Tag

Detects use of :latest tag which creates non-deterministic builds and can silently introduce vulnerabilities.

Hardcoded Secrets

Scans ENV variables for patterns matching passwords, tokens, API keys, and connection strings embedded in the Dockerfile.

Sensitive Port Exposure

Detects exposure of dangerous ports: SSH (22), MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), and others.

Dangerous Instructions

Flags use of ADD instead of COPY, --privileged mode, curl | bash pipe patterns, and missing HEALTHCHECK directives.

How to Scan a Docker Image for Vulnerabilities

  1. Open your Dockerfile in any text editor or IDE.
  2. Copy the full contents of the Dockerfile.
  3. Paste it above and click Scan for Vulnerabilities.
  4. Review findings — each vulnerability includes severity, description, and a recommended fix.
  5. Apply fixes — update base images, remove hardcoded secrets, add non-root USER, and pin versions.

Click Load Sample Dockerfile to see the scanner in action with a pre-built example containing multiple vulnerabilities.

Docker Image Security Best Practices

Frequently Asked Questions

What is an image layer vulnerability assessment?

Each instruction in a Dockerfile (RUN, COPY, ADD) creates a new layer in the image. An image layer vulnerability assessment examines each layer for security issues — packages installed in a RUN layer, files added in a COPY layer, or environment variables set in ENV. This tool analyzes the Dockerfile instructions that define those layers.

Why is running as root in Docker dangerous?

If an attacker exploits a vulnerability in your containerized application and the container runs as root, they can potentially escape the container and gain root access to the host system. Using a non-root USER limits the blast radius of any container compromise.

Which base images have known CVEs?

Images based on end-of-life distributions are most at risk: ubuntu:18.04 (EOL April 2023), node:14 (EOL April 2023), python:3.7 (EOL June 2023), debian:stretch (EOL June 2022), centos:7 (EOL June 2024). Always use current supported versions.

How is this different from Trivy or Snyk?

Tools like Trivy and Snyk pull live vulnerability databases and scan actual image layers against real CVE records. This tool performs instant static analysis of your Dockerfile — no image pull, no CLI setup, no account required. It catches configuration mistakes, outdated base images, and security anti-patterns immediately in the browser.

Should I use ADD or COPY in my Dockerfile?

Always prefer COPY over ADD. ADD has two behaviors beyond simple file copying: it can fetch remote URLs and auto-extract archives. These implicit behaviors can introduce unintended files or allow remote content injection. COPY does exactly what it says — nothing more.