The One Thing You Should Do After Building Best-Practice Docker Image (in 3 minutes)
Overview
Today, many companies tried to use Docker. This article is for wrote/writing best-practice Dockerfiles.
I created a tool analyzes your Dockerfile via the built image in 3 minutes.
Dockle is able to check deeply. (file permissions, credential files…) So, Dockle the best tool to check important rules, especially for security.
(I’m also the main committer of Vuls and Trivy. These are famous vulnerability scanners.)
It’s NOT a Dockerfile Linter (like a hadolint).
It’s able to check security risks on a container base image too. Dockerfile Linter never does it.
OK, Let’s start!
How to use
Homebrew (Mac / Linux)
Linux
Windows
via Docker
You only need -v /var/run/docker.sock:/var/run/docker.sock when you’d like to scan the image on your host machine.
Results
This tool checks CIS Benchmarks and Best practices for writing Dockerfiles .
Dockle shows short messages suggestions for improvement when there are problems.
You can check details to searching analysis codes(CIS-DI-0001
...) on README.
You don’t mind if your image doesn’t pass checkpoints. It’s one of an indicator.
Sometimes you have to run as root
.
Sometimes CLI tool doesn't need HEALTHCHECK.
Sometimes use ADD
statement when you'd like to add tar files.
This is a reminder that really you’d like to do so.
You can be specified to ignore rules to give --ignore, -i
option or create .dockleignore
.
Let’s do it again.
Closing
Dockle is NOT a Dockerfile Linter, but a Docker Image Linter.
Dockle can check deeply. (file permissions, credential files…) So, Dockle is able to check important rules than others, especially for security. (I’m also the main committer of Vuls and Trivy. These are famous vulnerability scanners.)
And Dockle is able to analyze an image created by stdin, too. You could use it in many places.
I hope you like and star it !!
Thanks!!