|
1 | 1 | # TAGLINE |
2 | 2 |
|
3 | | -Docker image secrets scanner |
| 3 | +explore and extract Docker registry contents |
4 | 4 |
|
5 | 5 | # TLDR |
6 | 6 |
|
7 | | -**Scan Docker Hub** for secrets |
| 7 | +**List all repositories** in a registry |
8 | 8 |
|
9 | | -```dockdiver -u [username]``` |
| 9 | +```dockdiver -url [registry_host] -list``` |
10 | 10 |
|
11 | | -**Scan specific image** |
| 11 | +**Dump a specific repository** |
12 | 12 |
|
13 | | -```dockdiver -i [image:tag]``` |
| 13 | +```dockdiver -url [registry_host] -dump [repository]``` |
14 | 14 |
|
15 | | -**Scan with output** file |
| 15 | +**Dump every repository** into a directory |
16 | 16 |
|
17 | | -```dockdiver -u [username] -o [results.txt]``` |
| 17 | +```dockdiver -url [registry_host] -dump-all -dir [output_dir]``` |
18 | 18 |
|
19 | | -**Scan with custom** patterns |
| 19 | +**Authenticate with basic** credentials |
20 | 20 |
|
21 | | -```dockdiver -i [image:tag] -p [patterns.json]``` |
| 21 | +```dockdiver -url [registry_host] -username [user] -password [pass] -list``` |
| 22 | + |
| 23 | +**Use a bearer token** and skip TLS verification |
| 24 | + |
| 25 | +```dockdiver -url [registry_host] -bearer [token] -insecure -dump-all``` |
22 | 26 |
|
23 | 27 | # SYNOPSIS |
24 | 28 |
|
25 | 29 | **dockdiver** [_options_] |
26 | 30 |
|
27 | 31 | # PARAMETERS |
28 | 32 |
|
29 | | -**-u** _USERNAME_ |
30 | | -> Docker Hub username to scan. |
| 33 | +**-url** _STRING_ |
| 34 | +> Base URL or hostname of the Docker registry (required). |
| 35 | +
|
| 36 | +**-port** _INT_ |
| 37 | +> Registry port used when not specified in the URL. Default 5000. |
| 38 | +
|
| 39 | +**-list** |
| 40 | +> List all repositories in the registry. |
| 41 | +
|
| 42 | +**-dump** _REPOSITORY_ |
| 43 | +> Download a single repository (manifest, config blob, and layer tarballs). |
| 44 | +
|
| 45 | +**-dump-all** |
| 46 | +> Download all repositories found in the registry. |
| 47 | +
|
| 48 | +**-dir** _DIRECTORY_ |
| 49 | +> Output directory for dumped files. Default docker_dump. |
| 50 | +
|
| 51 | +**-username** _STRING_ |
| 52 | +> Username for HTTP Basic authentication. |
| 53 | +
|
| 54 | +**-password** _STRING_ |
| 55 | +> Password for HTTP Basic authentication. |
| 56 | +
|
| 57 | +**-bearer** _STRING_ |
| 58 | +> Bearer token for the Authorization header. |
| 59 | +
|
| 60 | +**-headers** _JSON_ |
| 61 | +> Custom request headers as JSON, e.g. '{"X-Custom": "Value"}'. |
| 62 | +
|
| 63 | +**-insecure** |
| 64 | +> Skip TLS certificate verification. |
31 | 65 |
|
32 | | -**-i** _IMAGE_ |
33 | | -> Specific image to analyze. |
| 66 | +**-rate** _INT_ |
| 67 | +> Requests per second. Default 3. |
34 | 68 |
|
35 | | -**-o** _FILE_ |
36 | | -> Output file for results. |
| 69 | +**-timeout** _DURATION_ |
| 70 | +> HTTP request timeout, e.g. 10s or 500ms. Default 30s. |
37 | 71 |
|
38 | | -**-p** _FILE_ |
39 | | -> Custom pattern file. |
| 72 | +**-proxy** _URL_ |
| 73 | +> Proxy URL (http, https, or socks5). |
40 | 74 |
|
41 | | -**-v** |
42 | | -> Verbose output. |
| 75 | +**-proxy-username** _STRING_ |
| 76 | +> Username for SOCKS5 proxy authentication. |
43 | 77 |
|
44 | | -**--help** |
45 | | -> Display help information. |
| 78 | +**-proxy-password** _STRING_ |
| 79 | +> Password for SOCKS5 proxy authentication. |
46 | 80 |
|
47 | 81 | # DESCRIPTION |
48 | 82 |
|
49 | | -**dockdiver** is a security tool for analyzing Docker images and Docker Hub repositories for exposed secrets, credentials, and sensitive information. It scans image layers to identify potentially dangerous data leakage. |
| 83 | +**dockdiver** is a Go utility that enumerates and extracts the contents of a Docker registry exposed over the Registry HTTP API V2. It can list repositories, dump a single repository, or dump every repository, retrieving manifests, configuration blobs, and layer tarballs while verifying each blob with its SHA256 digest. |
50 | 84 |
|
51 | | -The tool searches for common secret patterns including API keys, passwords, private keys, and credentials embedded in Docker images. It can scan individual images or entire user repositories. |
| 85 | +It is aimed at penetration testing, bug bounty, and CTF scenarios where a registry (often a self-hosted one on port 5000) is reachable and may expose images that contain source code, configuration, or credentials. Authentication via Basic credentials or a bearer token, custom headers, proxy support, and a configurable request rate make it suitable for working against access-controlled or rate-limited registries. |
52 | 86 |
|
53 | | -dockdiver helps security teams audit container images before deployment and identify credential exposure in public registries. |
| 87 | +This tool targets the registry itself rather than the public Docker Hub web interface, and it downloads raw image data for offline inspection rather than scanning layers for secrets on its own. |
54 | 88 |
|
55 | 89 | # CAVEATS |
56 | 90 |
|
57 | | -Scanning large images may take time. Some secrets may be obfuscated or encoded. Only scans accessible images. Pattern matching may produce false positives. |
| 91 | +Only registries reachable over the HTTP API V2 are supported. Use against registries you are authorized to access. Dumping all repositories can transfer large amounts of data; the default rate of 3 requests per second limits load and helps avoid tripping rate limits. |
58 | 92 |
|
59 | 93 | # HISTORY |
60 | 94 |
|
61 | | -dockdiver was created as a security research tool to address the widespread problem of secrets being accidentally committed to Docker images. It automates the discovery of exposed credentials in container registries. |
| 95 | +dockdiver is an open-source Go tool published on GitHub by MachiavelliII. It ships with a registry lab environment in its lab directory for safe testing. |
62 | 96 |
|
63 | 97 | # SEE ALSO |
64 | 98 |
|
65 | | -[dive](/man/dive)(1), [trivy](/man/trivy)(1), [grype](/man/grype)(1) |
| 99 | +[dive](/man/dive)(1), [trivy](/man/trivy)(1), [grype](/man/grype)(1), [docker-pull](/man/docker-pull)(1) |
0 commit comments