Docker Security Scanner

Scan your Dockerfile for security vulnerabilities and best practices. Get recommendations to improve the security of your Docker images.

Dockerfile Security Scan

We'll analyze your Dockerfile for security vulnerabilities and best practices.

Base Image Security

Identify outdated or vulnerable base images

Privilege Escalation

Check for potential privilege escalation risks

Sensitive Data

Detect hardcoded secrets and credentials

Best Practices

Ensure Dockerfile follows security best practices

Security Analysis Results

75%

Security Score

Scan Summary

Needs Improvement

Critical

High

Medium

Low

Identified Issues

Running as root user

Critical
Your Dockerfile does not specify a non-root user, which means the container will run as root by default. Running containers as root is a security risk because if an attacker breaks out of the container, they would have root privileges on the host.

FROM ubuntu:20.04 RUN apt-get update && apt-get install -y nodejs npm WORKDIR /app COPY . . RUN npm install EXPOSE 3000 CMD ["npm", "start"]

Recommended Fix:

FROM ubuntu:20.04 RUN apt-get update && apt-get install -y nodejs npm WORKDIR /app COPY . . RUN npm install # Create a non-root user RUN groupadd -r nodejs && useradd -r -g nodejs nodejs # Set ownership of application files RUN chown -R nodejs:nodejs /app # Switch to non-root user USER nodejs EXPOSE 3000 CMD ["npm", "start"]

This fix creates a dedicated non-root user and group, then sets the appropriate ownership on your application files before switching to that user for running the container. This limits the potential impact of a container breakout vulnerability.
Learn More:
- Docker Documentation: USER instruction
- Docker Image Security Best Practices
Using latest/default tag for base image

High
Your Dockerfile uses a base image with a non-specific version (20.04). While this does specify a major version, it doesn't pin to a specific minor version or digest, which can lead to unexpected changes when the base image is updated.

FROM ubuntu:20.04

Recommended Fix:

FROM ubuntu:20.04@sha256:80ef4a44043dec4490506e6cc4289eeda2d106a70fe32ef29cce1b1db48c2aad

This fix pins the base image to a specific digest, ensuring your builds use exactly the same base image every time, preventing unexpected changes or vulnerabilities from newer images.
Learn More:
- Docker Documentation: Pull an image by digest
- Docker Security Best Practices
No .dockerignore file detected

High
Your Dockerfile uses a COPY . . instruction, but no .dockerignore file was detected. This can lead to sensitive files being included in your Docker image, such as git history, environment files, or secrets.

COPY . .

Recommended Fix:

Create a .dockerignore file in your project with at minimum the following content:

.git .gitignore node_modules npm-debug.log .env .env.* *.log *.md .dockerignore Dockerfile*

Using a .dockerignore file prevents sensitive files from being copied into your Docker image, reducing the risk of secrets exposure and decreasing image size.
Learn More:
- Docker Documentation: .dockerignore file
Not clearing package manager cache

Medium

Package manager cache files remain in the image, increasing image size unnecessarily and potentially including package indexes that may contain vulnerabilities.

RUN apt-get update && apt-get install -y nodejs npm

Recommended Fix:

RUN apt-get update && \ apt-get install -y nodejs npm && \ apt-get clean && \ rm -rf /var/lib/apt/lists/*

This fix ensures package manager cache files are cleaned up in the same layer where packages are installed, reducing image size and potential attack surface.

Suggested Secured Dockerfile

Secured Version

# Use a specific digest for immutability
FROM ubuntu:20.04@sha256:80ef4a44043dec4490506e6cc4289eeda2d106a70fe32ef29cce1b1db48c2aad

# Install dependencies in a single layer with cleanup
RUN apt-get update && \
    apt-get install -y --no-install-recommends nodejs npm ca-certificates && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

# Set working directory
WORKDIR /app

# Add a non-root user
RUN groupadd -r nodejs && useradd -r -g nodejs -s /bin/false nodejs

# Copy package files first for better caching
COPY package*.json ./

# Install dependencies with explicit CI mode
RUN npm ci --only=production && \
    npm cache clean --force

# Copy application code
COPY --chown=nodejs:nodejs . .

# Set environment to production
ENV NODE_ENV=production

# Set proper permissions
RUN chown -R nodejs:nodejs /app

# Switch to non-root user
USER nodejs

# Specify a health check
HEALTHCHECK --interval=30s --timeout=3s \
  CMD curl -f http://localhost:3000/ || exit 1

# Expose application port
EXPOSE 3000

# Run with explicit, non-shell form
CMD ["node", "server.js"]

Want to Learn More About Docker Security?

Check out our detailed tutorials on Docker security best practices, including securing your images, implementing least privilege, and scanning for vulnerabilities.

Browse Security Tutorials

Copied to clipboard!