Integrate Dockle with Vulnetix. Lint container images against CIS Docker benchmarks (11 checkpoints) and Dockle-specific security checks.
Install & scan
$ go install github.com/goodwithtech/dockle/cmd/dockle@latest $ dockle --format sarif --output dockle.sarif myimage:latest
Run Dockle in CI
Scan on every push and upload the results to Vulnetix:
- name: Install Dockle
run: |
VERSION=$(curl -s https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
curl -L "https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz" | tar xz
sudo mv dockle /usr/local/bin/
- name: Run Dockle
run: dockle --format sarif --output dockle.sarif myimage:latest
- name: Upload to Vulnetix
run: vulnetix upload --file dockle.sarif
How Vulnetix compares — better together
Vulnetix does not replace Dockle. Keep running it. Vulnetix sits on top of Dockle — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Dockle is strongest at its core category and also carries features in Secret Scanning — just like Vulnetix spans categories.
| Capability | Vulnetix | Dockle |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ✗ |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ✓ Core: CIS Docker Benchmark + image-config/build-hygiene linting |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ✗ |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ~ Flags credentials/secrets embedded in image env vars and files |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Dockle does well
- Purpose-built CIS Docker Benchmark linter — checks how the image was built rather than what CVEs it contains, filling a gap most scanners ignore
- Detects credentials/secrets baked into image env vars and files, and flags setuid/setgid and root-user misconfigurations
- Enforces Dockerfile best practices (base-image trust, package-cache cleanup, healthcheck presence) with clear FATAL/WARN/INFO severities
- Tiny, dependency-light CLI that drops easily into CI as a fast build-hardening gate
Where Vulnetix adds to it: Dockle lints image build hygiene and CIS compliance but explicitly does no CVE scanning and no cross-domain correlation. Vulnetix ingests Dockle's misconfiguration and secret findings and merges them with container CVE, SAST, SCA, IaC and cloud results into one prioritised, deduped queue with exploit-intel, reachability, versioned VEX and SSVC policy. Dockle hardens the build; Vulnetix consolidates and prioritises its output across the whole pipeline.
No migration, no rip-and-replace. Dockle keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Dockle results in Vulnetix
Upload Dockle SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.