Install command
Provided
Comprehensive Docker image vulnerability scanning with layer analysis, base image recommendations, and security best practices enforcement. This PostToolUse hook automatically scans Docker images for vulnerabilities when Dockerfiles are modified, providing real-time security validation during development.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Provided
Config snippet
Provided
Copy snippet
Provided
Prerequisites
None
Platforms
1 listed
Difficulty
0/100
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Safety & privacy surface
1 safety and 1 privacy notes across 2 risk areas. Review closely: credentials & tokens, permissions & scopes.
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Configuration
SECURITY_REPORT=".claude/reports/docker-security-$(date +%Y%m%d).txt"
SEVERITY_THRESHOLD=${DOCKER_SCAN_SEVERITY:-HIGH}
SCAN_ENABLED=${DOCKER_SECURITY_SCAN:-true}
mkdir -p "$(dirname "$SECURITY_REPORT")"
# Function to check if file is a Dockerfile
is_dockerfile() {
local file=$1
[[ "$file" == *Dockerfile* ]] || [[ "$file" == *.dockerfile ]]
}
# Function to analyze Dockerfile for security issues
analyze_dockerfile_security() {
local dockerfile=$1
echo "🔍 Analyzing Dockerfile security practices: $dockerfile" >&2
echo "" >> "$SECURITY_REPORT"
echo "Dockerfile Security Analysis - $(date)" >> "$SECURITY_REPORT"
echo "========================================" >> "$SECURITY_REPORT"
echo "File: $dockerfile" >> "$SECURITY_REPORT"
echo "" >> "$SECURITY_REPORT"
local issues_found=0
# Check for non-root user
if ! grep -i "^USER" "$dockerfile" >/dev/null 2>&1; then
echo "⚠️ WARNING: No USER directive found (running as root)" >&2
echo "[SECURITY] Missing USER directive - container runs as root" >> "$SECURITY_REPORT"
issues_found=$((issues_found + 1))
fi
# Check for version pinning
if grep -i "^FROM.*:latest" "$dockerfile" >/dev/null 2>&1; then
echo "⚠️ WARNING: Using :latest tag (not reproducible)" >&2
echo "[SECURITY] Base image uses :latest tag instead of pinned version" >> "$SECURITY_REPORT"
issues_found=$((issues_found + 1))
fi
# Check for COPY with broad wildcards
if grep -i "COPY . " "$dockerfile" >/dev/null 2>&1; then
echo "💡 INFO: COPY . detected - ensure .dockerignore excludes secrets" >&2
echo "[INFO] Broad COPY directive - verify .dockerignore configuration" >> "$SECURITY_REPORT"
fi
# Check for hardcoded secrets
if grep -iE "PASSWORD|SECRET|TOKEN|KEY.*=" "$dockerfile" >/dev/null 2>&1; then
echo "🚨 CRITICAL: Potential hardcoded secrets detected!" >&2
echo "[CRITICAL] Hardcoded credentials found - use build args or secrets" >> "$SECURITY_REPORT"
issues_found=$((issues_found + 1))
fi
# Check for HEALTHCHECK
if ! grep -i "^HEALTHCHECK" "$dockerfile" >/dev/null 2>&1; then
echo "💡 INFO: No HEALTHCHECK directive (recommended for production)" >&2
echo "[INFO] Missing HEALTHCHECK - consider adding for production readiness" >> "$SECURITY_REPORT"
fi
# Check for minimal base images
if grep -iE "FROM.*ubuntu|FROM.*debian" "$dockerfile" >/dev/null 2>&1; then
echo "💡 INFO: Consider using alpine or distroless for smaller attack surface" >&2
echo "[INFO] Full OS base image - consider alpine or distroless alternatives" >> "$SECURITY_REPORT"
fi
echo "" >> "$SECURITY_REPORT"
echo "Issues found: $issues_found" >> "$SECURITY_REPORT"
return $issues_found
}
# Function to scan image with Trivy
scan_with_trivy() {
local image=$1
if ! command -v trivy &> /dev/null; then
echo "💡 Install Trivy for comprehensive vulnerability scanning" >&2
echo " brew install trivy (macOS)" >&2
echo " apt install trivy (Debian/Ubuntu)" >&2
return
fi
echo "🔒 Scanning image with Trivy: $image" >&2
echo "" >> "$SECURITY_REPORT"
echo "Trivy Vulnerability Scan" >> "$SECURITY_REPORT"
echo "========================" >> "$SECURITY_REPORT"
# Run Trivy scan
trivy image --severity "$SEVERITY_THRESHOLD",CRITICAL \
--format json "$image" 2>/dev/null | \
jq -r '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID): \(.Severity) - \(.Title)"' 2>/dev/null | \
head -20 >> "$SECURITY_REPORT" || \
echo "✅ No vulnerabilities found at $SEVERITY_THRESHOLD or higher severity" >> "$SECURITY_REPORT"
# Get summary
local vuln_count=$(trivy image --severity CRITICAL,HIGH --format json "$image" 2>/dev/null | \
jq '[.Results[]?.Vulnerabilities[]?] | length' 2>/dev/null || echo "0")
if [ "$vuln_count" -gt 0 ]; then
echo "" >&2
echo "🚨 Found $vuln_count HIGH/CRITICAL vulnerabilities in $image" >&2
echo "💡 Review full report: $SECURITY_REPORT" >&2
else
echo "✅ No critical vulnerabilities detected" >&2
fi
}
# Function to scan with Docker Scout
scan_with_docker_scout() {
local image=$1
if ! docker scout version &> /dev/null 2>&1; then
echo "💡 Docker Scout available in Docker Desktop 4.17+" >&2
return
fi
echo "🔍 Scanning with Docker Scout: $image" >&2
echo "" >> "$SECURITY_REPORT"
echo "Docker Scout Analysis" >> "$SECURITY_REPORT"
echo "=====================" >> "$SECURITY_REPORT"
docker scout cves "$image" --format json 2>/dev/null | \
jq -r '.vulnerabilities[] | "\(.id): \(.severity) - \(.packageName)"' 2>/dev/null | \
head -15 >> "$SECURITY_REPORT" || \
echo "✅ Scout scan complete" >> "$SECURITY_REPORT"
}
# Main execution
if is_dockerfile "$FILE_PATH"; then
echo "🐳 Dockerfile detected: $FILE_PATH" >&2
if [ "$SCAN_ENABLED" != "true" ]; then
echo "ℹ️ Security scanning disabled (DOCKER_SECURITY_SCAN=false)" >&2
exit 0
fi
# Analyze Dockerfile best practices
analyze_dockerfile_security "$FILE_PATH"
# Try to determine image name
IMAGE_NAME=$(grep -i "^FROM" "$FILE_PATH" | tail -1 | awk '{print $2}')
if [ -n "$IMAGE_NAME" ]; then
echo "📦 Base image: $IMAGE_NAME" >&2
# Check if Docker is available and daemon is running
if command -v docker &> /dev/null && docker info &> /dev/null 2>&1; then
# Pull image if not present
if ! docker image inspect "$IMAGE_NAME" &> /dev/null; then
echo "📥 Pulling base image for scanning..." >&2
docker pull "$IMAGE_NAME" >&2 2>/dev/null || \
echo "⚠️ Could not pull image for scanning" >&2
fi
# Run security scans
scan_with_trivy "$IMAGE_NAME"
scan_with_docker_scout "$IMAGE_NAME"
else
echo "⚠️ Docker daemon not running - cannot scan images" >&2
fi
fi
# Display security best practices
echo "" >&2
echo "🛡️ Docker Security Best Practices:" >&2
echo " • Use specific version tags, not :latest" >&2
echo " • Run containers as non-root user (USER directive)" >&2
echo " • Use multi-stage builds to minimize image size" >&2
echo " • Scan images regularly with Trivy or Docker Scout" >&2
echo " • Keep base images updated and prefer minimal bases" >&2
echo " • Never include secrets in images (use build secrets)" >&2
if [ -s "$SECURITY_REPORT" ]; then
echo "" >&2
echo "📄 Full security report: $SECURITY_REPORT" >&2
fi
fi
exit 0{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/docker-image-security-scanner.sh",
"matchers": [
"write",
"edit"
]
}
}
}.claude/settings.local.json~/.claude/settings.json.claude/settings.json{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/docker-image-security-scanner.sh",
"matchers": ["write", "edit"]
}
}
}
#!/usr/bin/env bash
# Read the tool input from stdin
INPUT=$(cat)
TOOL_NAME=$(echo "$INPUT" | jq -r '.tool_name')
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
# Configuration
SECURITY_REPORT=".claude/reports/docker-security-$(date +%Y%m%d).txt"
SEVERITY_THRESHOLD=${DOCKER_SCAN_SEVERITY:-HIGH}
SCAN_ENABLED=${DOCKER_SECURITY_SCAN:-true}
mkdir -p "$(dirname "$SECURITY_REPORT")"
# Function to check if file is a Dockerfile
is_dockerfile() {
local file=$1
[[ "$file" == *Dockerfile* ]] || [[ "$file" == *.dockerfile ]]
}
# Function to analyze Dockerfile for security issues
analyze_dockerfile_security() {
local dockerfile=$1
echo "🔍 Analyzing Dockerfile security practices: $dockerfile" >&2
echo "" >> "$SECURITY_REPORT"
echo "Dockerfile Security Analysis - $(date)" >> "$SECURITY_REPORT"
echo "========================================" >> "$SECURITY_REPORT"
echo "File: $dockerfile" >> "$SECURITY_REPORT"
echo "" >> "$SECURITY_REPORT"
local issues_found=0
# Check for non-root user
if ! grep -i "^USER" "$dockerfile" >/dev/null 2>&1; then
echo "⚠️ WARNING: No USER directive found (running as root)" >&2
echo "[SECURITY] Missing USER directive - container runs as root" >> "$SECURITY_REPORT"
issues_found=$((issues_found + 1))
fi
# Check for version pinning
if grep -i "^FROM.*:latest" "$dockerfile" >/dev/null 2>&1; then
echo "⚠️ WARNING: Using :latest tag (not reproducible)" >&2
echo "[SECURITY] Base image uses :latest tag instead of pinned version" >> "$SECURITY_REPORT"
issues_found=$((issues_found + 1))
fi
# Check for COPY with broad wildcards
if grep -i "COPY . " "$dockerfile" >/dev/null 2>&1; then
echo "💡 INFO: COPY . detected - ensure .dockerignore excludes secrets" >&2
echo "[INFO] Broad COPY directive - verify .dockerignore configuration" >> "$SECURITY_REPORT"
fi
# Check for hardcoded secrets
if grep -iE "PASSWORD|SECRET|TOKEN|KEY.*=" "$dockerfile" >/dev/null 2>&1; then
echo "🚨 CRITICAL: Potential hardcoded secrets detected!" >&2
echo "[CRITICAL] Hardcoded credentials found - use build args or secrets" >> "$SECURITY_REPORT"
issues_found=$((issues_found + 1))
fi
# Check for HEALTHCHECK
if ! grep -i "^HEALTHCHECK" "$dockerfile" >/dev/null 2>&1; then
echo "💡 INFO: No HEALTHCHECK directive (recommended for production)" >&2
echo "[INFO] Missing HEALTHCHECK - consider adding for production readiness" >> "$SECURITY_REPORT"
fi
# Check for minimal base images
if grep -iE "FROM.*ubuntu|FROM.*debian" "$dockerfile" >/dev/null 2>&1; then
echo "💡 INFO: Consider using alpine or distroless for smaller attack surface" >&2
echo "[INFO] Full OS base image - consider alpine or distroless alternatives" >> "$SECURITY_REPORT"
fi
echo "" >> "$SECURITY_REPORT"
echo "Issues found: $issues_found" >> "$SECURITY_REPORT"
return $issues_found
}
# Function to scan image with Trivy
scan_with_trivy() {
local image=$1
if ! command -v trivy &> /dev/null; then
echo "💡 Install Trivy for comprehensive vulnerability scanning" >&2
echo " brew install trivy (macOS)" >&2
echo " apt install trivy (Debian/Ubuntu)" >&2
return
fi
echo "🔒 Scanning image with Trivy: $image" >&2
echo "" >> "$SECURITY_REPORT"
echo "Trivy Vulnerability Scan" >> "$SECURITY_REPORT"
echo "========================" >> "$SECURITY_REPORT"
# Run Trivy scan
trivy image --severity "$SEVERITY_THRESHOLD",CRITICAL \
--format json "$image" 2>/dev/null | \
jq -r '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID): \(.Severity) - \(.Title)"' 2>/dev/null | \
head -20 >> "$SECURITY_REPORT" || \
echo "✅ No vulnerabilities found at $SEVERITY_THRESHOLD or higher severity" >> "$SECURITY_REPORT"
# Get summary
local vuln_count=$(trivy image --severity CRITICAL,HIGH --format json "$image" 2>/dev/null | \
jq '[.Results[]?.Vulnerabilities[]?] | length' 2>/dev/null || echo "0")
if [ "$vuln_count" -gt 0 ]; then
echo "" >&2
echo "🚨 Found $vuln_count HIGH/CRITICAL vulnerabilities in $image" >&2
echo "💡 Review full report: $SECURITY_REPORT" >&2
else
echo "✅ No critical vulnerabilities detected" >&2
fi
}
# Function to scan with Docker Scout
scan_with_docker_scout() {
local image=$1
if ! docker scout version &> /dev/null 2>&1; then
echo "💡 Docker Scout available in Docker Desktop 4.17+" >&2
return
fi
echo "🔍 Scanning with Docker Scout: $image" >&2
echo "" >> "$SECURITY_REPORT"
echo "Docker Scout Analysis" >> "$SECURITY_REPORT"
echo "=====================" >> "$SECURITY_REPORT"
docker scout cves "$image" --format json 2>/dev/null | \
jq -r '.vulnerabilities[] | "\(.id): \(.severity) - \(.packageName)"' 2>/dev/null | \
head -15 >> "$SECURITY_REPORT" || \
echo "✅ Scout scan complete" >> "$SECURITY_REPORT"
}
# Main execution
if is_dockerfile "$FILE_PATH"; then
echo "🐳 Dockerfile detected: $FILE_PATH" >&2
if [ "$SCAN_ENABLED" != "true" ]; then
echo "ℹ️ Security scanning disabled (DOCKER_SECURITY_SCAN=false)" >&2
exit 0
fi
# Analyze Dockerfile best practices
analyze_dockerfile_security "$FILE_PATH"
# Try to determine image name
IMAGE_NAME=$(grep -i "^FROM" "$FILE_PATH" | tail -1 | awk '{print $2}')
if [ -n "$IMAGE_NAME" ]; then
echo "📦 Base image: $IMAGE_NAME" >&2
# Check if Docker is available and daemon is running
if command -v docker &> /dev/null && docker info &> /dev/null 2>&1; then
# Pull image if not present
if ! docker image inspect "$IMAGE_NAME" &> /dev/null; then
echo "📥 Pulling base image for scanning..." >&2
docker pull "$IMAGE_NAME" >&2 2>/dev/null || \
echo "⚠️ Could not pull image for scanning" >&2
fi
# Run security scans
scan_with_trivy "$IMAGE_NAME"
scan_with_docker_scout "$IMAGE_NAME"
else
echo "⚠️ Docker daemon not running - cannot scan images" >&2
fi
fi
# Display security best practices
echo "" >&2
echo "🛡️ Docker Security Best Practices:" >&2
echo " • Use specific version tags, not :latest" >&2
echo " • Run containers as non-root user (USER directive)" >&2
echo " • Use multi-stage builds to minimize image size" >&2
echo " • Scan images regularly with Trivy or Docker Scout" >&2
echo " • Keep base images updated and prefer minimal bases" >&2
echo " • Never include secrets in images (use build secrets)" >&2
if [ -s "$SECURITY_REPORT" ]; then
echo "" >&2
echo "📄 Full security report: $SECURITY_REPORT" >&2
fi
fi
exit 0
Complete hook script that performs Docker image security scanning when Dockerfiles are modified
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [ -z "$FILE_PATH" ]; then
exit 0
fi
if [[ "$FILE_PATH" == *Dockerfile* ]]; then
echo "Dockerfile detected: $FILE_PATH" >&2
if ! command -v trivy &> /dev/null; then
echo "Install Trivy for vulnerability scanning" >&2
exit 0
fi
BASE_IMAGE=$(grep -i "^FROM" "$FILE_PATH" | tail -1 | awk '{print $2}')
if [ -n "$BASE_IMAGE" ]; then
echo "Scanning base image: $BASE_IMAGE" >&2
if command -v docker &> /dev/null && docker info &> /dev/null 2>&1; then
docker pull "$BASE_IMAGE" >&2 2>/dev/null || echo "Could not pull image" >&2
trivy image --severity HIGH,CRITICAL --format json "$BASE_IMAGE" 2>/dev/null | jq '.' || trivy image "$BASE_IMAGE"
fi
fi
fi
exit 0
Complete hook configuration for .claude/settings.json to enable Docker image security scanning
{
"hooks": {
"postToolUse": {
"script": "./.claude/hooks/docker-image-security-scanner.sh",
"matchers": ["write", "edit"]
}
}
}
Enhanced hook script using Trivy 0.52.0+ with JSON output and jq parsing
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *Dockerfile* ]]; then
if command -v trivy &> /dev/null; then
BASE_IMAGE=$(grep -i "^FROM" "$FILE_PATH" | tail -1 | awk '{print $2}')
if [ -n "$BASE_IMAGE" ]; then
echo "Scanning with Trivy: $BASE_IMAGE" >&2
if command -v docker &> /dev/null && docker info &> /dev/null 2>&1; then
docker pull "$BASE_IMAGE" >&2 2>/dev/null
trivy image --severity HIGH,CRITICAL --format json "$BASE_IMAGE" 2>/dev/null | jq -r '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID): \(.Severity) - \(.Title)"' | head -20
fi
fi
fi
fi
exit 0
Enhanced hook script using Grype for Docker image vulnerability scanning
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *Dockerfile* ]]; then
if command -v grype &> /dev/null; then
BASE_IMAGE=$(grep -i "^FROM" "$FILE_PATH" | tail -1 | awk '{print $2}')
if [ -n "$BASE_IMAGE" ]; then
echo "Scanning with Grype: $BASE_IMAGE" >&2
if command -v docker &> /dev/null && docker info &> /dev/null 2>&1; then
docker pull "$BASE_IMAGE" >&2 2>/dev/null
grype "$BASE_IMAGE" --output json 2>/dev/null | jq '.' || grype "$BASE_IMAGE"
fi
fi
fi
fi
exit 0
Enhanced hook script for analyzing Dockerfile security best practices
#!/usr/bin/env bash
INPUT=$(cat)
FILE_PATH=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.path // ""')
if [[ "$FILE_PATH" == *Dockerfile* ]]; then
issues_found=0
if ! grep -i "^USER" "$FILE_PATH" >/dev/null 2>&1; then
echo "WARNING: No USER directive found (running as root)" >&2
issues_found=$((issues_found + 1))
fi
if grep -i "^FROM.*:latest" "$FILE_PATH" >/dev/null 2>&1; then
echo "WARNING: Using :latest tag (not reproducible)" >&2
issues_found=$((issues_found + 1))
fi
if grep -iE "PASSWORD|SECRET|TOKEN|KEY.*=" "$FILE_PATH" >/dev/null 2>&1; then
echo "CRITICAL: Potential hardcoded secrets detected!" >&2
issues_found=$((issues_found + 1))
fi
if [ "$issues_found" -gt 0 ]; then
echo "Found $issues_found security issues in Dockerfile" >&2
else
echo "No security issues detected in Dockerfile" >&2
fi
fi
exit 0
Update Trivy vulnerability DB: trivy image --download-db-only. Check network connectivity to ghcr.io registry. Use offline mode with cached DB: trivy --skip-update. Clear cache: rm -rf ~/.cache/trivy. Verify Trivy version is 0.52.0+ for latest database format support.
Start Docker Desktop or dockerd service. Check DOCKER_HOST environment variable. Verify user permissions: sudo usermod -aG docker $USER. Test with docker info before running hook. Ensure Docker daemon is running: docker ps.
Hook checks final stage only if multiple USER directives. Add USER in final stage even if earlier stages use root. Use comments to document why root needed in build stages. Verify final stage has non-root user: grep -i "^USER" Dockerfile | tail -1.
Configure Docker proxy in daemon.json. Use internal registry mirror. Pre-pull images: docker pull before hook runs. Skip image scanning: DOCKER_SECURITY_SCAN=false. Configure Docker registry mirrors for internal networks.
Different vulnerability databases and update frequencies. Scout uses Docker curated database. Trivy uses multiple sources (NVD, OSV, GitHub Advisory Database). Cross-reference both for comprehensive coverage. Check scan timestamps. Use both tools for complete vulnerability assessment.
Install Grype: brew install grype on macOS, or download from GitHub releases. Verify installation: grype version. Check PATH includes Grype binary location. Use full path to grype if not in PATH. Verify Grype database is up to date: grype db update.
Use Trivy with SBOM sources for faster scans: trivy image --sbom-sources oci. Enable Trivy cache: export TRIVY_CACHE_DIR=.trivycache. Use severity filtering: trivy image --severity HIGH,CRITICAL. Consider scanning only base image instead of full application image.
Ensure Trivy version is 0.52.0+ for VEX support. Use VEX repository: trivy image --vex repo. Use VEX OCI attestations: trivy image --vex oci. Verify VEX documents are available in configured repositories. Check Trivy VEX configuration in trivy.yaml.
Show that Docker Image Security Scanner - Hooks is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/hooks/docker-image-security-scanner)Docker Image Security Scanner - Hooks side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
| Field | Comprehensive Docker image vulnerability scanning with layer analysis, base image recommendations, and security best practices enforcement. This PostToolUse hook automatically scans Docker images for vulnerabilities when Dockerfiles are modified, providing real-time security validation during development. Open dossier | A PostToolUse hook that watches for edits to Docker-related files (Dockerfile, docker-compose, .dockerfile, .dockerignore). Open dossier | Scans for security vulnerabilities when package.json or requirements.txt files are modified. Open dossier | Scans for potential sensitive data exposure and alerts immediately. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| Submitter | — | — | — | — |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | ||
| Category | hooks | hooks | hooks | hooks |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | JSONbored | JSONbored | JSONbored | JSONbored |
| Added | 2025-10-19 | 2025-09-19 | 2025-09-19 | 2025-09-19 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs automatically after write or edit activity on Dockerfile, docker-compose, dockerfile, and dockerignore paths. Invokes docker build or docker compose build and can consume CPU, disk, network, and local Docker daemon resources. Uses the Dockerfile directory or compose-file directory as the build context, so incorrect paths can include more files than expected. | ✓Runs automatically on its configured Claude Code hook event and executes shell logic that can read, modify, or delete files in your project (and may run builds, installs, or network calls); review the script and scope it to expected paths before enabling. | ✓Runs on notification events and scans recent tool input for patterns that resemble secrets or sensitive data. Produces alerts only and does not redact files, rotate credentials, or block the original tool action. Pattern-based detection can miss real secrets or flag harmless placeholders. |
| Privacy notes | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Reads Docker-related files and may send build context files to the local Docker daemon during image builds. Build logs may reveal image names, service names, dependency URLs, and package-install output. Prints the first lines of .dockerignore files to local hook output when those files are edited. | ✓Receives Claude Code hook input (session metadata, file paths, and tool output) and reads local project files; review what the script logs or forwards to external services and keep credentials out of its output. | ✓Reads hook input fields such as tool names, file paths, commands, and text snippets supplied to the notification event. May print matched sensitive-looking strings or surrounding context to local hook output. Does not send findings to a remote service in the bundled script. |
| Prerequisites | — none listed | — none listed | — none listed | — none listed |
| Install | | | | |
| Config | | | | |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Audit MCP client configuration before sharing it with a team.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.