gitsafehub
github.com/jesseduffield/lazydocker ↗

jesseduffield/lazydocker

scanned 2026-05-27 · git 7e7aadc
2 of 6 checks flagged a security issue
🔴 Needs attention
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies13Known OSS vulnerabilities77Risky code patternsMalicious dependenciesProject health9

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 13 found · 1 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2024-45337 Applications and libraries which misuse connection.serverAuthenticate ...
    go.mod
    A package you depend on has a known security hole (CVE-2024-45337). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-15558 docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries
    go.mod
    A package you depend on has a known security hole (CVE-2025-15558). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-34040 Moby: Moby: Authorization bypass vulnerability
    go.mod
    A package you depend on has a known security hole (CVE-2026-34040). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41567 Docker: `PUT /containers/{id}/archive` executes container binary on the host
    go.mod
    A package you depend on has a known security hole (CVE-2026-41567). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-42306 Docker: Race condition in docker cp allows bind mount redirection to host path
    go.mod
    A package you depend on has a known security hole (CVE-2026-42306). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33997 moby: docker: github.com/moby/moby: Moby: Privilege validation bypass during plugin installation
    go.mod
    A package you depend on has a known security hole (CVE-2026-33997). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-41568 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
    go.mod
    A package you depend on has a known security hole (CVE-2026-41568). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39882 OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1 ...
    go.mod
    A package you depend on has a known security hole (CVE-2026-39882). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-24051 OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking
    go.mod
    A package you depend on has a known security hole (CVE-2026-24051). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-39883 opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
    go.mod
    A package you depend on has a known security hole (CVE-2026-39883). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-22869 SSH servers which implement file transfer protocols are vulnerable to ...
    go.mod
    A package you depend on has a known security hole (CVE-2025-22869). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-47914 SSH Agent servers do not validate the size of messages when processing ...
    go.mod
    A package you depend on has a known security hole (CVE-2025-47914). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-58181 SSH servers parsing GSSAPI authentication requests do not validate the ...
    go.mod
    A package you depend on has a known security hole (CVE-2025-58181). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 77 found · 1 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-v778-237x-gjrc Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-p436-gjf2-799p Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-rg2x-37c3-w2rh Docker: Race condition in docker cp allows bind mount redirection to host path
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-x744-4wpc-v9h2 Moby has AuthZ plugin bypass when provided oversized request bodies
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-x86f-5xw2-fm2r Docker: `PUT /containers/{id}/archive` executes container binary on the host
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-9h8m-3fm2-qjrq OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hfvc-g4fc-pqhx opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-hcg3-q754-cr77 golang.org/x/crypto Vulnerable to Denial of Service (DoS) via Slow or Incomplete Key Exchange
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-4610 Docker CLI Plugins: Uncontrolled Search Path Element Leads to Local Privilege Escalation on Windows in github.com/docker/cli
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-4883 Moby has an Off-by-one error in its plugin privilege validation in github.com/docker/docker
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-4887 Moby has AuthZ plugin bypass when provided oversized request bodies in github.com/docker/docker
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-pxq6-2prw-chj9 Moby has an Off-by-one error in its plugin privilege validation
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-vp62-88p7-qqf5 Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-4985 Oversized OTLP HTTP response bodies can cause memory exhaustion in go.opentelemetry.io/otel/exporters/otlp
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-w8rr-5gcm-pp58 opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-4394 OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking in go.opentelemetry.io/otel/sdk
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2024-3321 Misuse of connection.serverAuthenticate may cause authorization bypass in golang.org/x/crypto
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2025-3487 Potential denial of service in golang.org/x/crypto
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2025-4116 Potential denial of service in golang.org/x/crypto/ssh/agent
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2025-4134 Unbounded memory consumption in golang.org/x/crypto/ssh
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2025-4135 Malformed constraint may cause denial of service in golang.org/x/crypto/ssh/agent
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-5005 Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-5006 Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-5013 Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GO-2026-5014 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh
    /workdirs/scan-468407f4-000d-4754-b74e-e469f2e1c5e3/go.mod
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 52 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 9 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 4.8/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 28 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.