DEV.co
Open-Source Security · P3GLEG

Whaler

Whaler is a Go utility that reverse-engineers Docker images back into their original Dockerfiles. It extracts layer metadata, detects potential secrets in filenames, and recovers copied/added files, making it useful for auditing image provenance and identifying embedded credentials.

Source: GitHub — github.com/P3GLEG/Whaler
1.2k
GitHub stars
103
Forks
Go
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryP3GLEG/Whaler
OwnerP3GLEG
Primary languageGo
LicenseGPL-3.0 — OSI-approved
Stars1.2k
Forks103
Open issues8
Latest release1.0 (2018-06-27)
Last updated2026-04-08
Sourcehttps://github.com/P3GLEG/Whaler

What Whaler is

Whaler analyzes Docker image layers using the Docker API to reconstruct build instructions, identify added files, and flag high-risk filenames associated with secrets. It outputs a synthetic Dockerfile approximation along with environment variables, exposed ports, and runtime user information.

Quickstart

Get the Whaler source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/P3GLEG/Whaler.gitcd Whaler# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Container Image Security Auditing

Scan pulled or internally-built images for accidentally embedded secrets, credentials, or sensitive files before deployment to identify security gaps in the build pipeline.

Dockerfile Reconstruction & Documentation

Recover build instructions from images lacking original Dockerfile source, enabling better understanding of legacy or third-party container configurations.

Container Supply-Chain Compliance

Verify that published images conform to organization policies on base OS, dependencies, and runtime configuration by reversing and analyzing the image structure.

Implementation considerations

  • Requires local Docker daemon access (mounted socket `/var/run/docker.sock`); ensure proper RBAC and network isolation in container orchestration.
  • Docker API version must often be specified manually via `-sV` flag; document expected version for your target images.
  • Secret-detection rules are based on filename patterns (configurable in `ignore.go`); customize to match your organization's sensitive file naming conventions.
  • Extracted files and generated Dockerfiles are approximate reconstructions; layer metadata is incomplete, so output should be validated against source.
  • No built-in logging or audit trail; implement wrapper scripts or logging if you need to track which images were scanned and when.

When to avoid it — and what to weigh

  • Production Secret Scanning Workflow — Do not rely solely on Whaler for secrets detection in CI/CD. Use specialized secret-scanning tools (e.g., Trivy, Syft) with fresher maintenance and broader scanning rules instead.
  • Compliance & Audit with SLA Requirements — Last release was 2018; project lacks recent updates and active maintenance. Unsuitable for environments requiring current vendor support, security patches, or compliance certifications.
  • Large-Scale Registry Scanning — No evidence of performance optimization or batch processing. Unclear scalability for scanning hundreds of images; consider purpose-built registry scanning solutions.
  • Multi-Version Docker Compatibility — Requires manual Docker API version specification (`-sV` flag). Automated version detection is absent, making it fragile in heterogeneous container environments.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0), a copyleft license requiring source code disclosure and derived works to also be licensed under GPL-3.0.

GPL-3.0 is not a permissive license. Commercial use is permitted, but any modifications or derivative works distributed must be released under GPL-3.0 with source code access. Internal use without distribution is generally allowed. Requires legal review before incorporating into proprietary products or SaaS offerings.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceStale
DocumentationLimited
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Whaler accesses Docker image layers via daemon API, requiring privileged socket access; restrict access to trusted operators. The tool may expose embedded secrets during analysis—handle output with care. Project has no documented security audit, CVE history, or recent security patches. Use as an analytical tool, not as the sole gatekeeper in a security pipeline.

Alternatives to consider

Trivy (Aqua Security)

Active maintenance, broader vulnerability scanning, secrets detection, SBoM generation, and CI/CD integration. Industry-standard for container image scanning.

Syft (Anchore)

Focused SBoM/inventory generation from images with modern tooling, better performance, and active development. Complements Whaler for image composition analysis.

Dive (Jack Hammond)

Interactive image layer explorer with better maintenance and documentation. Better for understanding layer composition but not for secret detection.

Software development agency

Build on Whaler with DEV.co software developers

Whaler helps you reverse-engineer Docker images and detect embedded secrets. Contact our DevOps specialists to integrate image scanning into your CI/CD pipeline securely.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

Whaler FAQ

Can Whaler detect all secrets in an image?
No. Whaler searches filenames and added files for common secret patterns (e.g., `.pem`, `.key`, `password`). Secrets embedded in binary layers, environment variables, or obfuscated paths may be missed. Use specialized secret-scanning tools (Trivy, GitGuardian) in parallel.
What Docker API versions does Whaler support?
Not clearly documented. Users must often specify via `-sV` flag (e.g., `1.36`). Compatibility matrix is absent. Test with your target Docker daemon version.
Is Whaler suitable for continuous container image scanning?
Not ideal. Last release is 8 years old, 8 issues are open, and no recent security updates. For production scanning pipelines, use actively maintained tools like Trivy or Grype.
What does the reconstructed Dockerfile represent?
An approximation. Docker image layers store partial metadata; Whaler cannot perfectly reverse multi-stage builds, ARG substitutions, or RUN cache optimization. Output is informational; validate against source.

Software developers & web developers for hire

Need help beyond evaluating Whaler? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Need to Audit Your Container Images?

Whaler helps you reverse-engineer Docker images and detect embedded secrets. Contact our DevOps specialists to integrate image scanning into your CI/CD pipeline securely.