18,000 downloads: DockSec adds AI fixes for Docker CVEs

DockSec combines local container scans with AI to rank Docker vulnerabilities and suggest exact fixes.

18,000 downloads and 90 pull requests later, DockSec is moving from side project to community security tool. The open source project, led by Advait Patel and now part of the OWASP incubator portfolio, is built to help teams sort real Docker image risk from scanner noise and turn findings into concrete fixes.

What changed

DockSec does not replace existing scanners. It runs Trivy, Hadolint, and Docker Scout locally, then uses an LLM to merge the results, remove duplicates, and rank issues by impact.

The point is not more alerts. Patel said a typical scan can return 200+ CVEs, many of them noise, while developers still need a short path to remediation. DockSec responds with plain-English guidance and exact Dockerfile edits in Markdown.

• Scanning stays local.
• Only scan metadata is sent to the LLM.
• Users can choose OpenAI, Anthropic, or Google Gemini.
• It can also run locally through Ollama.

The project was also shaped by a specific warning sign: software images can ship into Docker with unfixed vulnerabilities still inside them. Patel cited one scan of 15 images that found 183 high-severity issues and 15 critical ones.

Why it matters

For developers, DockSec tries to close the gap between detection and patching. That matters in CI/CD pipelines, where vulnerable images can be pulled into builds or deployed before security teams sort through scanner output.

For the market, the project shows where AI tooling may be heading next: not just finding defects, but explaining which ones matter and how to fix them without sending image contents to a model.

OWASP backing also changes the trust profile. Patel said the incubator status brought more enterprise attention, better contributions, and a stronger expectation that the tool stay vendor-neutral and community-first.

The key question is no longer whether scanners can find more CVEs. It is whether tools like DockSec can help teams act on the few that matter before those images ship.