{"id":18657626,"url":"https://github.com/cr0hn/dockerfile-security","last_synced_at":"2025-08-20T23:32:32.563Z","repository":{"id":49894857,"uuid":"235979756","full_name":"cr0hn/dockerfile-security","owner":"cr0hn","description":"Static security checker for Dockerfiles","archived":false,"fork":false,"pushed_at":"2024-03-20T14:29:51.000Z","size":45,"stargazers_count":93,"open_issues_count":0,"forks_count":11,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-12-07T19:37:25.849Z","etag":null,"topics":["devops","devsecops","docker","security","static-analyzer"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cr0hn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-24T10:12:58.000Z","updated_at":"2024-12-04T08:51:47.000Z","dependencies_parsed_at":"2024-11-07T07:42:30.645Z","dependency_job_id":null,"html_url":"https://github.com/cr0hn/dockerfile-security","commit_stats":{"total_commits":8,"total_committers":1,"mean_commits":8.0,"dds":0.0,"last_synced_commit":"4e2a0be470766629af713987befc6c26e2cb0da9"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cr0hn%2Fdockerfile-security","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cr0hn%2Fdockerfile-security/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cr0hn%2Fdockerfile-security/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cr0hn%2Fdockerfile-security/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cr0hn","download_url":"https://codeload.github.com/cr0hn/dockerfile-security/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":230471175,"owners_count":18231193,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devops","devsecops","docker","security","static-analyzer"],"created_at":"2024-11-07T07:29:16.091Z","updated_at":"2024-12-19T17:08:23.428Z","avatar_url":"https://github.com/cr0hn.png","language":"Python","readme":"# Dockerfile-sec\n\nDockerfile-sec is a simple but powerful rules-based checker for Dockerfiles.\n\n## Install\n\n```bash\n\u003e pip install dockerfile-sec \n```\n\n## Quick start\n\nAnalyze a Dockerfile\n\n```bash\n\u003e dockerfile-sec examples/Dockerfile-example\n+----------+-------------------------------------------+----------+\n| Rule Id  | Description                               | Severity |\n+----------+-------------------------------------------+----------+\n| core-002 | Missing USER sentence in dockerfile       | Medium   |\n| core-003 | Posible text plain password in dockerfile | High     |\n| core-005 | Recursive copy found                      | Medium   |\n| core-006 | Use of COPY instead of ADD                | Low      |\n| core-007 | Use image tag instead of SHA256 hash      | Medium   |\n| cred-001 | Generic credential                        | Medium   |\n+----------+-------------------------------------------+----------+  \n```\n\n## Using docker\n\n```bash\n\u003e cat Dockerfile | docker run --rm -t cr0hn/dockerfile-sec  \n```\n\n    IMPORTANT: By using docker you can pass a rules file or a docker file as paramenter. You need to use a pipe or mount a volume\n\n## Usage\n\n### With remote rules\n\n```bash\n\u003e dockerfile-sec -r http://127.0.0.1:9999/rules/credentials.yaml Dockerfile \n```\n\n### With built-in rules\n\n**All rules**\n\nAll rules are enabled by default:\n\n```bash\n\u003e dockerfile-sec Dockerfile\n```\n\n**Core rules only**\n\nhttps://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/core.yaml\n\n```bash\n\u003e dockerfile-sec -R core Dockerfile\n```\n\n**Credentials rules only**\n\nhttps://github.com/cr0hn/dockerfile-security/blob/master/dockerfile_sec/rules/credentials.yaml\n\n```bash\n\u003e dockerfile-sec -R credentials Dockerfile\n```\n\n**Disabling built-in rules**\n\n```bash\n\u003e dockerfile-sec -R none Dockerfile\n```\n\n### With user defined rules\n\n```bash\n\u003e dockerfile-sec -r my-rules.yaml Dockerfile\n```\n\n### Export results as json\n\n```bash\n\u003e dockerfile-sec -o results.json Dockerfile \n```\n\n### Quiet mode\n\nNot writing anything in the console:\n\n```bash\n\u003e dockerfile-sec -q -o results.json Dockerfile \n```\n\n\n### Filtering false positives\n\n**By ignore file**\n\nDockerfile-sec allows to ignore rules by using a file that contains the rules you want to ignore.\n\n```bash\n\u003e dockerfile-sec -F ignore-rules.text Dockerfile \n```\n\nIgnore file format contains the *IDs* of rules you want to ignore. **one ID per line**. Example:\n\n```bash\n\u003e ls ignore-rules.text\ncore-001\ncore-007\n```\n\n**By using the cli**\n\nYou also can use cli to ignore specific *IDs*:\n\n```bash\n\u003e dockerfile-sec -i core-001,core007 Dockerfile \n```\n\n## Using as a pipeline\n\nYou also can use dockerfile-sec as UNIX pipeline.\n\nLoading Dockerfile from stdin:\n\n```bash\n\u003e cat Dockerfile | dockerfile-sec -i core-001,core007 \n```\n\nExposing results via pipe:\n\n```bash\n\u003e cat Dockerfile | dockerfile-sec -i core-001,core007 | jq \n```\n\n## Output formats\n\n### JSON Output format\n\n```json\n\n[\n  {\n    \"description\": \"Missing USER sentence in dockerfile\",\n    \"id\": \"core-002\",\n    \"reference\": \"https://snyk.io/blog/10-docker-image-security-best-practices/\",\n    \"severity\": \"Medium\"\n  }\n]\n\n```\n\n## References\n\n- https://snyk.io/blog/10-docker-image-security-best-practices/\n- https://medium.com/microscaling-systems/dockerfile-security-tuneup-166f1cdafea1\n- https://medium.com/@tariq.m.islam/container-deployments-a-lesson-in-deterministic-ops-a4a467b14a03\n- https://spacelift.io/blog/docker-security\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcr0hn%2Fdockerfile-security","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcr0hn%2Fdockerfile-security","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcr0hn%2Fdockerfile-security/lists"}