From 200 CVEs to Actionable Fixes – DockSec Brings AI to Container Security
DockSec, an open-source AI-powered Docker security analyzer adopted as an OWASP Incubator Project, correlates findings from Trivy, Hadolint, and Docker Scout to rank CVEs by real-world impact and generate plain-English fixes.
A developer who runs a container image scan often sees a wall of 200 CVEs, most of which are noise. The report gets closed, the image ships, and vulnerabilities go with it. DockSec was built to close that gap. The open-source tool, now an OWASP Incubator Project, layers AI on top of existing scanners to correlate findings, eliminate duplicates, rank vulnerabilities by real-world impact, and generate exact Dockerfile fixes in plain English.
DockSec was built by Advait Patel, a senior SRE at Broadcom, entirely in his spare time. It is MIT-licensed and installable with `pip install docksec`. Rather than replacing scanners such as Trivy, Hadolint, and Docker Scout, it runs them locally, passes only the scan metadata — never image contents — to an LLM of the user's choice. Supported LLM providers include OpenAI, Anthropic Claude, Google Gemini, and Ollama for fully offline teams. Output formats cover HTML, PDF, JSON, Markdown, and CSV.
Patel described the frustration that drove the project: "On a typical day I would scan a container image and get back 200+ CVEs. Most were noise, a few were real, but there was no easy way to tell a developer 'fix these three lines and you are good.' Security tools are great at finding problems but bad at helping people fix them."
Most container security tooling falls into two camps: pure scanners like Trivy and Snyk that detect vulnerabilities but stop there, and enterprise platforms like Prisma Cloud that wrap detection in policy dashboards sized for large security teams. DockSec sits in between — it layers correlation, explanation, and concrete fixes on top of scanners developers already run, designed to live inside a CI pipeline or developer terminal rather than a security console nobody opens.
OWASP Incubator Project status changed how enterprise teams evaluate DockSec. Before, it was a GitHub project that developers stumbled on; afterward, it carried the vendor-neutral, community-accountable standing that procurement and security teams look for. The MIT license means no enterprise tier gating and no licensing risk.
Production numbers are concrete. An MVAS operator running services across 28 countries and 53 telecom operators integrated DockSec into their Jenkins pipeline. The results: critical CVEs reaching production dropped 78%, average triage time fell from 45 minutes to 6 minutes per image, and Dockerfile fixes shipped per sprint quadrupled. When a security report takes 6 minutes to read instead of 45, developers actually read it.
DockSec has more than 18,000 downloads on PyPI and over 220 GitHub stars. Patel is scheduled to present at OWASP Global AppSec EU in Vienna in June. If your pipeline is still handing developers a raw CVE list and hoping for the best, DockSec offers a concrete alternative — install it with `pip install docksec` or follow the project on GitHub.