Skip to content

fix(score): replace hardcoded config score with real Dockerfile analysis (closes #44)#53

Merged
advaitpatel merged 1 commit into
mainfrom
fix/config-score-hardcoded-issue-44
Apr 2, 2026
Merged

fix(score): replace hardcoded config score with real Dockerfile analysis (closes #44)#53
advaitpatel merged 1 commit into
mainfrom
fix/config-score-hardcoded-issue-44

Conversation

@advaitpatel
Copy link
Copy Markdown
Collaborator

@advaitpatel advaitpatel commented Apr 2, 2026

Summary

  • Replaces the permanently hardcoded configuration score of 75.0 in score_calculator.py with a real _calculate_config_score() method that analyses actual Dockerfile content
  • Bumps version from 2026.2.232026.4.2 for release

What was wrong

Every security score DockSec ever reported was inflated by ~15 points. The 20% configuration weight always contributed a fixed 75 * 0.20 = 15 points regardless of whether the container was running as root, had exposed secrets, used :latest tags, etc.

What the new method checks

Check Deduction
No USER directive / explicit USER root or USER 0 −25
ENV sets a credential variable (PASSWORD, SECRET, API_KEY, TOKEN, etc.) −30
Base image uses :latest tag or has no tag −15
No HEALTHCHECK directive −10
Sensitive ports exposed (22, 23, 3306, 5432, 27017, 6379, 9200) −10
ADD used instead of COPY −5
--privileged flag present −20

Falls back to Hadolint output signals (DL3002, DL3007) when no Dockerfile path is available (e.g. --image-only mode).

Test results

Bad Dockerfile score:  5.0/100   ✓
Good Dockerfile score: 100.0/100 ✓
Hadolint-only score:   60.0/100  ✓

Existing test suite: 10 passed, 7 pre-existing failures (unrelated to this change).

Test plan

  • Run docksec Dockerfile -i myapp:latest against a Dockerfile with no USER, :latest tag, and an exposed ENV PASSWORD=... — config score should be ≤ 30
  • Run against a well-hardened Dockerfile with USER, pinned tag, HEALTHCHECK — config score should be 100
  • --image-only mode (no Dockerfile): verify no crash, fallback to hadolint signals

🤖 Generated with Claude Code

fix(score): replace hardcoded config score of 75 with real Dockerfile…
01922e7 
… analysis

The configuration dimension of the security score was permanently set to
75.0, inflating every reported score by ~15 points regardless of actual
Dockerfile quality. This fix implements _calculate_config_score() which
analyses the Dockerfile content directly and deducts points for:

  - Container running as root (no USER directive, or USER root/0): -25
  - Exposed credentials via ENV (PASSWORD/SECRET/TOKEN/KEY patterns): -30
  - Mutable base image tag (:latest or untagged FROM): -15
  - Missing HEALTHCHECK directive: -10
  - Sensitive port exposure (22, 23, 3306, 5432, 27017, 6379, 9200): -10
  - ADD used instead of COPY (DL3020): -5
  - --privileged flag present: -20

Falls back to Hadolint output signals (DL3002, DL3007) when no Dockerfile
path is available (e.g. --image-only mode).

Smoke-tested: insecure Dockerfile 5/100, clean Dockerfile 100/100.

Bumps version to 2026.4.2.

Closes #44
@advaitpatel advaitpatel force-pushed the fix/config-score-hardcoded-issue-44 branch from d293d14 to 01922e7 Compare April 2, 2026 07:12
@advaitpatel advaitpatel merged commit 9ac07b2 into main Apr 2, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@advaitpatel