Docker Security Scanning: Trivy and Dockle for Safe Containers
Scan your Docker images for vulnerabilities before deploying. Learn to use Trivy and Dockle to secure your self-hosted homelab container infrastructure.
Posted by
Related reading
Homelab Documentation: Wiki.js vs BookStack for Self-Hosted Wikis
Document your homelab setup with self-hosted wikis. Compare Wiki.js and BookStack for creating searchable documentation of your infrastructure and procedures.
Docker Compose Reverse Proxy: Traefik vs Nginx Proxy Manager
Set up a reverse proxy for your homelab. Compare Traefik and Nginx Proxy Manager for automatic SSL, domain routing, and secure access to self-hosted services.
Complete Homelab Setup: From Zero to Self-Hosted in One Weekend
Build a fully functional homelab in a single weekend. Step-by-step guide covering hardware setup, Docker installation, and deploying essential self-hosted services.

Trust But Verify
Docker images can contain vulnerabilities, malware, or misconfigurations. Before running containers in your homelab, scan them for security issues. It takes seconds and could save you from a breach.
Trivy: Comprehensive Scanning
# Install Trivy sudo apt install wget apt-transport-https gnupg lsb-release wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list sudo apt update && sudo apt install trivy # Scan an image trivy image nginx:latest # Scan with severity filter trivy image --severity HIGH,CRITICAL postgres:15 # Scan before deploying trivy image nextcloud:latest
Dockle: Best Practices Check
# Install Dockle
VERSION=$(curl -s https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb
sudo dpkg -i dockle.deb
# Check image best practices
dockle nginx:latest
# Common warnings:
# - Running as root
# - No HEALTHCHECK
# - Using latest tagAutomated Scanning Script
#!/bin/bash
# scan-images.sh
IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "<none>")
for IMAGE in $IMAGES; do
echo "Scanning $IMAGE..."
trivy image --severity HIGH,CRITICAL --exit-code 1 $IMAGE
if [ $? -ne 0 ]; then
echo "WARNING: Vulnerabilities found in $IMAGE"
fi
doneBest Practices
- Scan images before first deployment
- Re-scan after updates
- Use specific tags, not :latest
- Prefer official images from Docker Hub
- Set up weekly automated scans
