Open in app

Sign in

Write

Sign in

Docker Lint — Azure DevSecOps

Siddiquimohammad
3 min readMay 29, 2024

--

WHAT IS A DOCKER FILE ?

Dockerfiles are text documents that allow you to build images for Docker . Detailed explanation

IMPACT OF VULNERABLE DOCKEFILE

A vulnerable Docker file results into a vulnerable container .

Hence , it is important to make sure only security compliant Dockerfile makes to the deployment.

To achieve this , take the shift left approach ( i.e Scan your Dockerfile for misconfiguration before it is pushed to your registry)

DOCKER LINT IN CI/CD

  • A branch Security Policy triggers Docker Lint Pipeline.
  • This pipeline should succeed for the PR to be merged.
  • If the docker file in the feature branch which is being merged to the release branch is insecurely written , then the Lint Pipeline will flag and highlight the loopholes .
  • The pipeline should fail if Lint tool finds any breaches and thus should the PR . This forces for secure dockerfile changes which can pass the Lint checks
  • Thus , a vulnerable dockerfile cannot make it to the deployment.

Docker Lint with Hadolint and Azure Devops

STEP 1 : Create a pipeline and add your Repo . Select the branch which will be used for deployment.

STEP 2 : Add Hadolint bash script

STEP 3 : Publish Lint results to Artifact

STEP 4 : Create a Branch Policy for adding Docker Lint checks in CI/CD

Running the Pipeline and understanding the results

  • It can seen that the pipeline failed because the dockerfile used COPY command instead of ADD .
  • This was detected by the rule DL3020 error: Use COPY instead of ADD for files and folders.

NOTE : COPY instruction just copies the files from the local host machine to the container file system. ADD instruction potentially could retrieve files from remote URLs and perform operations such as unpacking. Thus, ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.

Vulnerable Dockerfile

FROM  amd64/openjdk:15.0.1-jdk-oraclelinux8
RUN adduser --home /usr/local/runme backend -u 1001
  • Results can be downloaded from the Build Artifact

Dealing with False positives / Low Risk findings :

hadolint --ignore DL3003 --ignore DL3006 <Dockerfile> # exclude specific rules
  • This will ignore the specified rule if it matches your Dockerfile.
  • Make sure its a false positive or has low risk to your microservice .

So this was all about Docker Lint . Please refer the hadolint github page for more understanding of the tool .

Container Security
Devsecops
Docker Security
Kubernetes Security
Cloud Security

--

--

Siddiquimohammad

Written by Siddiquimohammad

30 Followers

Cyber Security Engineer || DevSecOps Architect

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams