Categorygithub.com/iamabhishek-dubey/dockerlinter
modulepackage
0.0.2
Repository: https://github.com/iamabhishek-dubey/dockerlinter.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
2
Dependents
0
Files
9 SLOC

# README

CircleCI Go Report Card Apache License GitHub release

Dockerlinter

Introduction

A simple golang tool which audits your Dockerfile with Best Practices and generates a HTML report. The main goal of creating this tool is to provide easy, fast and reliable linting of Dockerfile.

Supported OS Distribution

This OS Family which we are supporting right now is:-

  • RedHat Family(Including CentOS)
  • Debian Family(All)

Requirments

The requirements for using this tools are:-

  • Golang
  • Docker(If you are running Dockerized Setup)

Parameters

Here is the list of parameters which is accepted by this tool.

ParameterSupported ValuesDescription
--ignorecode Ex:- dl3000Provide the rule code which you want to ignore
--version-It will print the version of dockerlinter.

How to Use

This tool is pretty much straight forward for use. We have categorized it in two parts i.e. Manual Setup and Dockerized Setup

git clone https://github.com/iamabhishek-dubey/dockerlinter.git
cd dockerlinter
make get-depends
make build-code

Dockerized Setup

Steps for Dockerized Setup

make build-image
docker run -itd --name docker-linter docker-linter:latest

Running dockerlinter

After running setup, you just need to execute a simple binary. For example:-

dockerlinter Dockerfile

Example Reports

We are generating reports in two ways one is HTML and other one is Table.

  • Table Report
+-------------+--------------------------------+-----------+--------------------------------+
| LINE NUMBER |              LINE              | RULE CODE |          DESCRIPTION           |
+-------------+--------------------------------+-----------+--------------------------------+
| 1           | FROM alpine:latest             | DL3007    | Using latest is prone to       |
|             |                                |           | errors if the image will       |
|             |                                |           | ever update. Pin the version   |
|             |                                |           | explicitly to a release tag.   |
+-------------+--------------------------------+-----------+--------------------------------+
| 11          | RUN apk update && \            | DL3018    | Pin versions in apk add.       |
|             |                                |           | Instead of `apk add package`   |
|             |                                |           | use `apk add package=version`. |
+-------------+--------------------------------+-----------+--------------------------------+
| 11          | RUN apk update && \            | DL3019    | Use the `--no-cache` switch    |
|             |                                |           | to avoid the need to use       |
|             |                                |           | `--update` and remove          |
|             |                                |           | `/var/cache/apk/*` when done   |
|             |                                |           | installing packages.           |
+-------------+--------------------------------+-----------+--------------------------------+
| 3           | MAINTAINER Abhishek Dubey      | DL4000    | MAINTAINER is deprecated.      |
|             | <[email protected]>   |           |                                |
+-------------+--------------------------------+-----------+--------------------------------+
  • HTML Report

Rules

For rules, we have taken the refrence from hadolint. Here is the list of rules which we are implementing:-

RuleDescription
DL3000Use absolute WORKDIR.
DL3001For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig.
DL3002Last user should not be root.
DL3003Use WORKDIR to switch to a directory.
DL3004Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root.
DL3005Do not use apt-get upgrade or dist-upgrade.
DL3006Always tag the version of an image explicitly.
DL3007Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.
DL3008Pin versions in apt-get install.
DL3009Delete the apt-get lists after installing something.
DL3010Use ADD for extracting archives into an image.
DL3011Valid UNIX ports range from 0 to 65535.
DL3012Provide an email address or URL as maintainer.
DL3013Pin versions in pip.
DL3014Use the -y switch.
DL3015Avoid additional packages by specifying --no-install-recommends.
DL3016Pin versions in npm.
DL3017Do not use apk upgrade.
DL3018Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>.
DL3019Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages.
DL3020Use COPY instead of ADD for files and folders.
DL3021COPY with more than 2 arguments requires the last argument to end with /
DL3022COPY --from should reference a previously defined FROM alias
DL3023COPY --from cannot reference its own FROM alias
DL3024FROM aliases (stage names) must be unique
DL3025Use arguments JSON notation for CMD and ENTRYPOINT arguments
DL3026Use only an allowed registry in the FROM image
DL4000MAINTAINER is deprecated.
DL4001Either use Wget or Curl but not both.
DL4003Multiple CMD instructions found.
DL4004Multiple ENTRYPOINT instructions found.
DL4005Use SHELL to change the default shell.
DL4006Set the SHELL option -o pipefail before RUN with a pipe in it

Todo

  • Remove temporary files
  • Publish table output on terminal
  • Add more linting rules

# Packages

No description provided by the author
No description provided by the author