Tool integration

Dockle Integration Guide

Container image linter for CIS Docker benchmarks

Get a Free API Key

Integrate Dockle with Vulnetix. Lint container images against CIS Docker benchmarks (11 checkpoints) and Dockle-specific security checks.

CLI toolSARIF

Install & scan

$ go install github.com/goodwithtech/dockle/cmd/dockle@latest
$ dockle --format sarif --output dockle.sarif myimage:latest

Run Dockle in CI

Scan on every push and upload the results to Vulnetix:

- name: Install Dockle
  run: |
    VERSION=$(curl -s https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name"' | sed -E 's/.*"v([^"]+)".*/\1/')
    curl -L "https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz" | tar xz
    sudo mv dockle /usr/local/bin/
- name: Run Dockle
  run: dockle --format sarif --output dockle.sarif myimage:latest
- name: Upload to Vulnetix
  run: vulnetix upload --file dockle.sarif

How Vulnetix compares — better together

Vulnetix does not replace Dockle. Keep running it. Vulnetix sits on top of Dockle — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Dockle is strongest at its core category and also carries features in Secret Scanning — just like Vulnetix spans categories.

CapabilityVulnetixDockle
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, DockerfileCore: CIS Docker Benchmark + image-config/build-hygiene linting
IaC / misconfigurationTerraform, k8s, CloudFormation
Secret scanning1,000+ rules, source + binary + git history~ Flags credentials/secrets embedded in image env vars and files
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Dockle does well

Where Vulnetix adds to it: Dockle lints image build hygiene and CIS compliance but explicitly does no CVE scanning and no cross-domain correlation. Vulnetix ingests Dockle's misconfiguration and secret findings and merges them with container CVE, SAST, SCA, IaC and cloud results into one prioritised, deduped queue with exploit-intel, reachability, versioned VEX and SSVC policy. Dockle hardens the build; Vulnetix consolidates and prioritises its output across the whole pipeline.

No migration, no rip-and-replace. Dockle keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Dockle results in Vulnetix

Upload Dockle SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Dockle documentation ↗  ·  Source repository ↗

Wire Dockle into your CI/CD pipeline →