Skip to content

arasdenizhan/dockenv

Repository files navigation

Dockenv Logo

DOCKENV

Scan Docker containers & images for risky environment variables

go license last-commit repo-top-language coverage repo-language-count
test


Table of Contents


Overview

dockenv is a lightweight security tool that analyzes Docker containers and images for exposed or risky environment variables.

Modern applications frequently store secrets such as API keys, database credentials, tokens, and private configuration values inside environment variables. While convenient, this practice can easily lead to accidental leaks especially in shared images, misconfigured deployments, or CI/CD pipelines.

dockenv helps you catch these problems early.

It inspects Docker environments, extracts environment variables, and applies an intelligent rule-based analysis engine to detect sensitive data and assign a risk severity score. This allows developers and DevOps engineers to quickly identify security risks before they reach production.

The tool is designed to be fast, dependency-free, and CI-friendly, making it suitable for local development, pre-deployment validation, and automated security checks.


Features

  • 🔍 Docker Environment Variable Security Scanning

    • Scans Docker containers and images to detect sensitive or risky environment variables (e.g. secrets, tokens, passwords, API keys)
  • 🧠 Rule-Based Risk Analysis Engine

    • Built-in detection rules identify common secret patterns:
      • Credentials (PASSWORD, SECRET)
      • Tokens (TOKEN, JWT, AUTH)
      • API keys (API_KEY, API_SECRET, ACCESS_KEY)
      • Private keys & sensitive configs (coming soon)
  • 🌀 Entropy Analysis

    • Shannon Entropy calculation (coming soon).
  • 📊 Risk Scoring System

    • Each finding is evaluated and assigned a severity score so you can quickly prioritize real threats over noise.
  • 🐳 Supports Both Containers and Images

    • Scan running containers
    • Scan local Docker images before deployment
    • Shift-left security checks in CI pipelines
  • 🖥️ Readable CLI Output

    • Colored terminal output
    • Structured table format
    • Clear severity visualization (Low / Medium / High)
  • Fast & Lightweight

    • Written in Go, runs instantly without agents, sidecars, or external services.
  • 🔌 CI/CD Friendly

    • Easily usable inside:
      • GitHub Actions
      • GitLab CI
      • Jenkins pipelines
      • Pre-deployment checks
  • 🧩 Modular Architecture

    • Clean internal modules:
      • docker → container/image inspection
      • scanner → env extraction
      • analyzer → rules & scoring
      • output → formatting & reporting

Getting Started

Installation

You can install dockenv with a single command:

curl -fsSL https://raw.githubusercontent.com/arasdenizhan/dockenv/master/install.sh | sh

The script will:

  1. Detect your operating system and CPU architecture
  2. Download the latest release binary from GitHub
  3. Make it executable
  4. Move it into /usr/local/bin
  5. Verify the installation

Verify Installation

After installation, confirm that dockenv is available:

dockenv --help

You should see the CLI help menu with available commands.

Quick Test

Run a container with intentionally bad environment variables:

docker run -d --name vulnerable \
-e DB_PASSWORD=admin123 \
-e AWS_SECRET_ACCESS_KEY=verysecret \
-e JWT_SECRET=superjwt \
nginx

Scan it:

dockenv scan -c vulnerable

dockenv will analyze the container and report risky environment variables with a security score.


Testing

Run the test suite with:

Using go modules: (mocks and main file removed from coverage report)

	go test -coverprofile=coverage.out ./... && \
	grep -v -e "/mocks/" -e "main.go" coverage.out > coverage_cleaned.out && \
	go tool cover -func=coverage_cleaned.out | grep total: && \
	go tool cover -html=coverage_cleaned.out

Or Makefile located in root of the project's path


Roadmap

  • Milestone 1: Implement basic MVP
  • Milestone 2: Refactor project to have a nice architecture
  • Milestone 3: Achieve %100 code coverage with tests
  • Milestone 4: Implement Shannon Entropy Analysis for better engine.

Contributing

Contributing Guidelines
  1. Fork the Repository: Start by forking the project repository to your github account.
  2. Clone Locally: Clone the forked repository to your local machine using a git client.
    git clone https://github.com/arasdenizhan/dockenv
  3. Create a New Branch: Always work on a new branch, giving it a descriptive name.
    git checkout -b new-feature-x
  4. Make Your Changes: Develop and test your changes locally.
  5. Commit Your Changes: Commit with a clear message describing your updates.
    git commit -m 'Implemented new feature x.'
  6. Push to github: Push the changes to your forked repository.
    git push origin new-feature-x
  7. Submit a Pull Request: Create a PR against the original project repository. Clearly describe the changes and their motivations.
  8. Review: Once your PR is reviewed and approved, it will be merged into the main branch. Congratulations on your contribution!
Contributor Graph


License

Dockenv is protected under the MIT LICENSE License. For more details, refer to the LICENSE file.


About

Docker Environment Security Scanner written with Go that scans docker containers and images for risky environment variables

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages