Back to Blog

Docker Security Scanning: Trivy and Dockle for Safe Containers

Scan your Docker images for vulnerabilities before deploying. Learn to use Trivy and Dockle to secure your self-hosted homelab container infrastructure.

Posted by

Docker security scanning

Trust But Verify

Docker images can contain vulnerabilities, malware, or misconfigurations. Before running containers in your homelab, scan them for security issues. It takes seconds and could save you from a breach.

Trivy: Comprehensive Scanning

# Install Trivy
sudo apt install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt update && sudo apt install trivy

# Scan an image
trivy image nginx:latest

# Scan with severity filter
trivy image --severity HIGH,CRITICAL postgres:15

# Scan before deploying
trivy image nextcloud:latest

Dockle: Best Practices Check

# Install Dockle
VERSION=$(curl -s https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb
sudo dpkg -i dockle.deb

# Check image best practices
dockle nginx:latest

# Common warnings:
# - Running as root
# - No HEALTHCHECK
# - Using latest tag

Automated Scanning Script

#!/bin/bash
# scan-images.sh

IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "<none>")

for IMAGE in $IMAGES; do
  echo "Scanning $IMAGE..."
  trivy image --severity HIGH,CRITICAL --exit-code 1 $IMAGE
  if [ $? -ne 0 ]; then
    echo "WARNING: Vulnerabilities found in $IMAGE"
  fi
done

Best Practices

  • Scan images before first deployment
  • Re-scan after updates
  • Use specific tags, not :latest
  • Prefer official images from Docker Hub
  • Set up weekly automated scans

Continue Reading