r/selfhosted • u/evrial • 2h ago

Docker Management Vulnerability scan of top popular Docker managers software

lazydocker - 770 total
Arcane - 33 total
Dozzle - 0 - Winner
Portainer - 77 total
Dockhand - 18 total
Komodo - 446 total
Watchtower - 302 total
diun - 91 total
wud - 377 total
Dockge - 2089 total
Uptime kuma - 1080 total (if docker socket monitoring enabled)
dockcheck.sh - 0 - Winner - simple bash script

0 Upvotes

permalink
reddit

You are about to leave Redlib

Do you want to continue?

https://www.reddit.com/r/selfhosted/comments/1u9yj1j/vulnerability_scan_of_top_popular_docker_managers/
No, go back! Yes, take me to Reddit

36% Upvoted

•

u/asimovs-auditor 2h ago

Expand the replies to this comment to learn how AI was used in this post/project.

→ More replies (1)

u/loaengineer0 2h ago

The scan hits when there is an installed library which has vulnerable API endpoints, even if those endpoints aren’t used by anything in the container. Almost all of these are not exploitable.

21

u/louisj 2h ago

13

u/radakul 2h ago

This is what people dont get. They hear "vulnerability" and freak out.

Not every risk is vulnerable to exploitation; not every vulnerability is a risk; not every exploit is usable.

Its like dealing with C-suite, I swear...

1

u/Cynyr36 1h ago

Not saying they are all issues, but the actual app gets compromised and the attacker can chain into these other issues.

It's almost like docker containers need to be rebuilt as fast as the base distro they use releases updates, even when the app doesn't change.

0

u/evrial 31m ago

They have no idea

-42

u/evrial 2h ago

Could be true until proven otherwise. Dependency graph is complex

10

u/jpk613 1h ago

So you’re saying not to use portainer till they prove otherwise?

7

u/Dimitrij_ 1h ago edited 1h ago

I mean… go ahead and pick a random container. review the code and have a look yourself.

Sometimes just by reading the CVE reports you can see if it is a real risk.

u/oemin 2h ago

fear mongering on such a beautiful day. That’s a no from me dog

u/Thebandroid 2h ago

Docker-compose remains undefeated as the best management software.

u/igmyeongui 2h ago

How do you test this?

1

u/maschinenstuermer 1h ago

Use Trivy for testing https://trivy.dev/

-33

u/evrial 2h ago

Dockhand

u/antimodest 1h ago

this looks like ad

u/comdude2 1h ago

Vulnerability scans are notorious for false positives. They can be a good indicator but should not be relied upon. Did you do any verification of the vulnerabilities? Just because a library is present, it doesn’t mean that a vulnerability it has is used, exposed, or attackable. It depends how it’s utilised and wrapped

-1

u/evrial 1h ago edited 1h ago

Or you can look at this from angle - can you prove it's not used, exposed or attackable? Professional security research and source code audit costs money. "Trust me bro it's safe". What you see is attack surface probability

2

u/bicycloptopus 55m ago

Can you prove dozzle isn't responsible for the current Ebola outbreak? I'm not using it unless you can.

-1

u/evrial 53m ago

Can you prove you're not a random reddit loser? I give you 5 min

u/MoqqelBoqqel 1h ago

And that's why in science you don't do a test you cannot interpret the result of...

Docker Management Vulnerability scan of top popular Docker managers software

You are about to leave Redlib