← Dashboard

Container Audit

2026-05-29 | AEGIS Container Audit Engine
Discovers real containers from Dockerfiles, classifies them, and validates whether the codebase respects container boundaries. Unlike bounded-context analysis (which invents containers from code coupling), this report starts from the containers that exist.
7
Dockerfiles
7
Services
0
Base Images
0
Infrastructure
0
Emulators
0
Dev/Test
0
Ops
13
Security Findings

Dockerfile & Compose Security (13 findings)

Security issues detected in Dockerfiles and docker-compose configurations. Fix critical and high severity items first.

0 critical, 2 high, 11 medium, 0 low

SeverityFindingCWEDescriptionLocationRemediation
MEDIUMlatest_tagCWE-829FROM uses 'build' without pinned tag -- non-reproducible builds.Dockerfile:127Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...').
MEDIUMlatest_tagCWE-829FROM uses 'base-runtime' without pinned tag -- non-reproducible builds.Dockerfile:151Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...').
MEDIUMmissing_healthcheckCWE-693No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state.scripts/docker/install-sh-e2e/DockerfileAdd 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent.
HIGHrunning_as_rootCWE-250Container runs as root. Add USER directive with non-root user.scripts/docker/install-sh-smoke/Dockerfile:30Add 'USER nonroot' or 'USER 1000' before the ENTRYPOINT/CMD directive.
MEDIUMmissing_healthcheckCWE-693No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state.scripts/docker/install-sh-smoke/DockerfileAdd 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent.
MEDIUMmissing_healthcheckCWE-693No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state.scripts/docker/sandbox/DockerfileAdd 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent.
MEDIUMmissing_healthcheckCWE-693No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state.scripts/docker/install-sh-nonroot/DockerfileAdd 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent.
HIGHrunning_as_rootCWE-250Container runs as root. Add USER directive with non-root user.scripts/docker/cleanup-smoke/Dockerfile:34Add 'USER nonroot' or 'USER 1000' before the ENTRYPOINT/CMD directive.
MEDIUMmissing_healthcheckCWE-693No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state.scripts/docker/cleanup-smoke/DockerfileAdd 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent.
MEDIUMmissing_healthcheckCWE-693No HEALTHCHECK defined. Container orchestrators cannot detect unhealthy state.scripts/e2e/DockerfileAdd 'HEALTHCHECK CMD curl -f http://localhost/health || exit 1' or equivalent.
MEDIUMlatest_tagCWE-829FROM uses 'e2e-runner' without pinned tag -- non-reproducible builds.scripts/e2e/Dockerfile:33Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...').
MEDIUMlatest_tagCWE-829FROM uses 'bare' without pinned tag -- non-reproducible builds.scripts/e2e/Dockerfile:37Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...').
MEDIUMlatest_tagCWE-829FROM uses 'bare' without pinned tag -- non-reproducible builds.scripts/e2e/Dockerfile:41Pin the base image to a specific tag or digest (e.g. 'python:3.12-slim' or 'python@sha256:abc...').

Production Services (7)

These are the containers that run your application. Finding counts are from the AEGIS security scan.
ContainerRepoBase ImageFindingsSeverity
Dockerfile/openclawDockerfile${OPENCLAW_NODE_BOOKWORM_IMAGE}0clean
scripts/install-sh-e2escriptsnode:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb0clean
scripts/install-sh-smokescriptsnode:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb0clean
scripts/sandboxscriptsdebian:bookworm-slim@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c2520clean
scripts/install-sh-nonrootscriptsubuntu:24.04@sha256:cd1dba651b3080c3686ecf4e3c4220f026b521fb76978881737d24f200828b2b0clean
scripts/cleanup-smokescriptsnode:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb0clean
scripts/e2escriptsnode:24-bookworm-slim@sha256:e8e2e91b1378f83c5b2dd15f0247f34110e2fe895f6ca7719dbb780f929368eb0clean

Repos Without Service Containers (1 repos, 21 files sampled)

Source files in these repos are not built by any Dockerfile classified as a production service. They may be libraries, scripts, or documentation -- or they may be services missing a Dockerfile.