Discovers real containers from Dockerfiles, classifies them, and validates whether the codebase respects container boundaries.
Unlike bounded-context analysis (which invents containers from code coupling), this report starts from the containers that exist.
Security issues detected in Dockerfiles and docker-compose configurations. Fix critical and high severity items first.
| Severity | Finding | CWE | Description | Location | Remediation |
|---|
| MEDIUM | latest_tag | CWE-829 | FROM uses 'build' without pinned tag -- non-reproducible builds. | Dockerfile:127 | Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...'). |
| MEDIUM | latest_tag | CWE-829 | FROM uses 'base-runtime' without pinned tag -- non-reproducible builds. | Dockerfile:151 | Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...'). |
| MEDIUM | missing_healthcheck | CWE-693 | No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state. | scripts/docker/install-sh-e2e/Dockerfile | Add 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent. |
| HIGH | running_as_root | CWE-250 | Container runs as root. Add USER directive with non-root user. | scripts/docker/install-sh-smoke/Dockerfile:30 | Add 'USER nonroot' or 'USER 1000' before the ENTRYPOINT/CMD directive. |
| MEDIUM | missing_healthcheck | CWE-693 | No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state. | scripts/docker/install-sh-smoke/Dockerfile | Add 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent. |
| MEDIUM | missing_healthcheck | CWE-693 | No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state. | scripts/docker/sandbox/Dockerfile | Add 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent. |
| MEDIUM | missing_healthcheck | CWE-693 | No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state. | scripts/docker/install-sh-nonroot/Dockerfile | Add 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent. |
| HIGH | running_as_root | CWE-250 | Container runs as root. Add USER directive with non-root user. | scripts/docker/cleanup-smoke/Dockerfile:34 | Add 'USER nonroot' or 'USER 1000' before the ENTRYPOINT/CMD directive. |
| MEDIUM | missing_healthcheck | CWE-693 | No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state. | scripts/docker/cleanup-smoke/Dockerfile | Add 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent. |
| MEDIUM | missing_healthcheck | CWE-693 | No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state. | scripts/e2e/Dockerfile | Add 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent. |
| MEDIUM | latest_tag | CWE-829 | FROM uses 'e2e-runner' without pinned tag -- non-reproducible builds. | scripts/e2e/Dockerfile:33 | Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...'). |
| MEDIUM | latest_tag | CWE-829 | FROM uses 'bare' without pinned tag -- non-reproducible builds. | scripts/e2e/Dockerfile:37 | Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...'). |
| MEDIUM | latest_tag | CWE-829 | FROM uses 'bare' without pinned tag -- non-reproducible builds. | scripts/e2e/Dockerfile:41 | Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...'). |
These are the containers that run your application. Finding counts are from the AEGIS security scan.
| Container | Repo | Base Image | Findings | Severity |
| Dockerfile/openclaw | Dockerfile | ${OPENCLAW_NODE_BOOKWORM_IMAGE} | 0 | clean |
| scripts/install-sh-e2e | scripts | node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb | 0 | clean |
| scripts/install-sh-smoke | scripts | node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb | 0 | clean |
| scripts/sandbox | scripts | debian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252 | 0 | clean |
| scripts/install-sh-nonroot | scripts | ubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b | 0 | clean |
| scripts/cleanup-smoke | scripts | node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb | 0 | clean |
| scripts/e2e | scripts | node:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb | 0 | clean |
Source files in these repos are not built by any Dockerfile classified as a production service.
They may be libraries, scripts, or documentation -- or they may be services missing a Dockerfile.