How to scan Docker images using THOR – Part 1

by May 4, 2023

In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case:  Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!


  • Docker image with a shell installed (e.g. sh, bash, etc.)
  • THOR 🙂
    • In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (Thor vs Thor-lite).

Running THOR in a Docker container

In your THOR folder run: docker run --rm -it -v ${PWD}:/thor alpine /bin/sh. This will create a Docker container based on Alpine Linux, mount your working directory (where THOR is stored) to /thor in the container, and will drop you into the sh shell. Inside the Docker container you can cd /thor and start THOR: ./thor-lite-linux. You can exchange alpine with any Docker image, as long as it includes a shell.

After the THOR scan is finished you can exit the shell (the Docker container) and you will find the following files:

  • {docker-id}_files_md5s.csv
  • {docker-id}_thor_{date}.html
  • {docker-id}_thor_{date}.txt

These files contain all findings of the THOR scan.

By using THOR to scan Docker images, you do not have to blindly trust the author of an upstream Docker image – you can see for yourself!

In part 2 of this series we explain how to scan Docker containers using THOR. 

About the author:

Paul Hager

Threat Researcher & Detection Engineer @nextronsystems | @TUVienna Graduate


New blog posts (~1 email/month)

GDPR Cookie Consent with Real Cookie Banner