DockSec is an open supply security software born out of frustration and raised by Advait Patel.
The frustration originates within the rising recognition that AI is superb at discovering vulnerabilities, however poor at explaining find out how to repair them. “On a typical day I’d scan a container picture and get again 200+ CVEs. Most have been noise, a number of have been actual, however there was no straightforward option to inform a developer ‘repair these three traces and you’re good’. Safety instruments are nice at discovering issues however unhealthy at serving to individuals repair them.”
Maybe due to this problem in fixing identified vulnerabilities in a well timed vogue, software program pictures are coming into Docker nonetheless containing unfixed vulnerabilities. “I scanned 15 pictures and located 183 vulnerabilities rated with excessive severity and an additional 15 rated as crucial,” he continues. “For instance, HashiCorp Vault – a software constructed particularly to safe secrets and techniques – shipped with 40 vulnerabilities in its personal picture.”
The risk is that when vulnerabilities are included throughout the pictures, they might routinely be run by Docker and even included throughout the CI/CD pipeline. This can be a risk Patel set himself to unravel by creating an open supply software he calls DockSec (lately adopted by OWASP into its official undertaking portfolio).
The problem is just not to find the vulnerabilities, however in serving to builders repair them. DockSec consists of no new vulnerability scanner, however merely runs Trivy, Hadolint, and Docker Scout regionally. Then comes the brand new performance: an LLM correlates the findings throughout all three to take away duplicates and rank by actual impression. The scanning is finished regionally, and solely the scan metadata goes to the LLM – by no means the picture content material.
The whole lot is finished regionally. The LLM used might be chosen from OpenAI, Anthropic, and Google Gemini, and run regionally via Ollama. Its operate is to generate plain-English explanations and actual Dockerfile fixes delivered by way of Markdown, the lingua franca for builders. DockSec closes the hole between vulnerability detection and vulnerability fixing.
Patel is the architect and lead developer of DockSec. However the undertaking itself has grown past simply himself. “OWASP recognition and adoption as an OWASP incubator undertaking was a turning level,” he explains. “Earlier than that it was a private undertaking individuals discovered via GitHub. After OWASP, enterprise groups began taking it severely as a result of it now sits inside a trusted, vetted ecosystem. Contributions additionally picked up, extra pull requests, higher difficulty high quality, and security of us began suggesting options as an alternative of simply submitting bugs. With OWASP comes a duty to maintain it open, vendor-neutral, and helpful for the neighborhood first. That may be a good constraint to design beneath.”
It’s now community-driven open supply, with Patel on the forefront. Downloads are approaching 18,000, and pull requests stand at 90. And it’s an instance of the purity of open supply improvement. Patel conceived and created it in his personal spare time. It’s free to obtain and free to make use of; and he makes no cash from it.
However it’s greater than only a single undertaking. It’s a design methodology that may be tailored to different areas the place AI finds the issues however doesn’t assist in fixing them.
“DockSec can undoubtedly be tailored. It isn’t only a security scanner that scans your code, that scans your structure and scans your infrastructure. It’s a bridge between discovering and fixing. We have now tons and tons of instruments available in the market that act as a scanner, as a software that may detect the gaps; however there are few that may lead you towards the remediation half, towards fixing that hole”, explains Patel.
“DockSec is considered one of them. If individuals, or the business, or an organization desires to adapt DockSec into their SOC automation, they’ll undoubtedly accomplish that. Utilizing the findings of their scanners, the DockSec methodology could possibly be used to repair the findings in a well timed vogue.”
