Deepce vs Dockle
GitHub Stats
About Deepce
Deepce (Docker Enumeration, Escalation of Privileges, and Container Escapes) is a tool designed to help identify vulnerable Docker installations and find potential container escape routes. Written as a portable shell script with no dependencies, it runs inside Docker containers to assess the security posture from the inside out. Deepce checks for dangerous capabilities (SYS_ADMIN, SYS_PTRACE, DAC_READ_SEARCH), mounted Docker sockets, writable host mounts, misconfigured namespaces, and known kernel vulnerabilities that enable container escapes. It also fingerprints the container environment, identifies the container runtime (Docker, Podman, LXC), checks network configuration, and enumerates neighboring containers. Its zero-dependency design makes it ideal for quick assessments during penetration tests where you land inside a container and need to assess your options.
About Dockle
Dockle is a container image linter for security, helping build the best practice Docker/OCI image. It checks built container images for security issues and best practice violations based on the CIS Docker Benchmark and additional security checks. Unlike Dockerfile linters that only analyze the build instructions, Dockle inspects the actual built image, catching issues like credentials left in image layers, unnecessary setuid/setgid binaries, missing USER directives (running as root), writable executables, and unused environment variables containing secrets. Dockle outputs clear, actionable findings with severity levels (FATAL, WARN, INFO) and references to CIS benchmark sections. It integrates easily into CI/CD pipelines, supports JSON output for automation, and can be configured with an ignore file for accepted risks. Dockle fills the gap between Dockerfile linting (like Hadolint) and runtime scanning (like Falco).
Platform Support
Tags
Shared
Deepce only
Dockle only