[FEATURE] Add Docker Model Runner as a local LLM provider

[advaitpatel]

Background

Docker Model Runner (introduced in Docker Desktop 4.40 / Docker Engine 2025) allows running LLMs locally via Docker with a single command:

docker model run ai/smollm2

It exposes an OpenAI-compatible API on localhost, making models available to any tool that speaks the OpenAI protocol.

Why This Makes Sense for DockSec

• Docker is already a hard dependency of DockSec — users have it installed by definition
• Adds a fully air-gapped mode: scan and analyze with zero external API calls
• "Use Docker to secure Docker" is a clean story for the OWASP and Docker communities
• OpenAI-compatible API means the integration is minimal — similar to the existing Ollama provider
• Differentiates DockSec from generic security scanners

Proposed Usage

# Start a model via Docker Model Runner
docker model run ai/smollm2

# Use it in DockSec
docksec Dockerfile -i myapp:latest --provider docker-model-runner --model ai/smollm2

# Or via environment variable
LLM_PROVIDER=docker-model-runner LLM_MODEL=ai/smollm2 docksec Dockerfile -i myapp:latest

Implementation Plan

1. Add provider to utils.py get_llm()

Docker Model Runner exposes an OpenAI-compatible API, so it can use ChatOpenAI with a custom base_url:

elif provider == "docker-model-runner":
    llm = ChatOpenAI(
        model=model,
        base_url="http://localhost:12434/engines/llama.cpp/v1",
        api_key="no-key-required",
        temperature=temperature,
        request_timeout=timeout,
        max_retries=max_retries
    )
    return llm

2. Update config_manager.py

Add docker-model-runner to the valid provider list and document the default base URL.

3. Update docksec.py argparse choices

parser.add_argument(
    '--provider',
    choices=['openai', 'anthropic', 'google', 'ollama', 'docker-model-runner'],
    ...
)

4. Update setup_external_tools.py

Add a check that verifies Docker Model Runner is available:

def check_docker_model_runner():
    result = subprocess.run(
        ["docker", "model", "list"],
        capture_output=True, text=True
    )
    return result.returncode == 0

5. Update README

Add Docker Model Runner to the supported LLM providers table with setup instructions.

Requirements

• Docker Desktop 4.40+ or Docker Engine with model runner support
• No API key needed
• Model must be pulled before use: docker model pull ai/smollm2

Useful Models to Test With

Model	Command
SmolLM2	docker model pull ai/smollm2
Llama 3.2	docker model pull ai/llama3.2
Phi-3	docker model pull ai/phi3

References

• Docker Model Runner announcement
• Docker Model Runner docs
• OpenAI-compatible API spec

Acceptance Criteria

• --provider docker-model-runner works end-to-end
• Falls back gracefully if Docker Model Runner is not available with a clear error message
• README updated with setup instructions
• Unit tests added for the new provider in test_utils.py
• Works on macOS, Linux, and Windows (Docker Desktop)

[ishitatiwari1517]

Hi, I tested DockSec locally and observed that both image-only and scan-only modes still attempt to initialize the LLM, which causes failures when no API key is set.

It looks like LLM initialization is not properly gated by execution mode and is being triggered unconditionally in the pipeline. I believe this is affecting multiple modes, not just one specific case.

I’d like to work on refactoring this so that scanning modes operate independently of AI and LLM is only initialized when explicitly required.

Please let me know if this direction aligns.
pls assign this to me @advaitpatel