DockSec v2026.7.1 released
By SecBurg
DockSec is an OWASP Lab Project that bridges the gap between complex Docker security scan results and actionable fixes.
It combines industry-standard scanners (Trivy, Hadolint, Docker Scout) with multi-LLM support (OpenAI, Anthropic Claude, Google Gemini, or local Ollama) to deliver plain-English vulnerability explanations and line-specific Dockerfile remediation guidance.
v2026.7.1 is out:
- Pin GitHub workflow dependencies
- Phase 0 cleanup: quieter terminal output, PDF encoding fix, and dead-code removal
- Phase 1: terminal output overhaul - result summary, severity table, --quiet/--no-color
- Phase 2a: add --severity flag for image vulnerability scan scope
- Phase 2b: add --fail-on gate and CI-friendly 0/1/2/3 exit codes
- Phase 2c: add --format and --output-dir flags for report selection
- Phase 2d: add --json flag for machine-readable stdout output
- Phase 2e: add --sarif output and fix broken GitHub Action -o flag
- Phase 3: add --baseline/--update-baseline ratchet mode
- Route docker_scanner error/troubleshooting output through docksec.output
- Version bump to 2026.7.1
This is a big one for CI/CD integration: –fail-on gives you a proper severity gate with CI-friendly exit codes, –sarif output plugs straight into GitHub code scanning, and the new –baseline/–update-baseline ratchet mode lets you lock in current findings and only fail on new ones - handy for gradually hardening an existing Dockerfile fleet without breaking the build on day one.
Full release notes: github.com/OWASP/DockSec/releases/tag/v2026.7.1
Happy hacking! :-)