{"id":26719342,"url":"https://github.com/erzz/dockle-action","last_synced_at":"2025-04-14T04:07:07.151Z","repository":{"id":40409180,"uuid":"359233478","full_name":"erzz/dockle-action","owner":"erzz","description":"Github Action to run Dockle and report in workflows, pipeline and PR's","archived":false,"fork":false,"pushed_at":"2024-02-21T07:15:51.000Z","size":57,"stargazers_count":14,"open_issues_count":1,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-06T02:17:17.068Z","etag":null,"topics":["action","best-practice","container","docker","dockle","github-action","lint","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/erzz.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-04-18T19:21:58.000Z","updated_at":"2025-03-15T23:21:13.000Z","dependencies_parsed_at":"2024-06-21T16:35:31.638Z","dependency_job_id":"7871f56d-1b19-417f-98dd-4d12056954c4","html_url":"https://github.com/erzz/dockle-action","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fdockle-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fdockle-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fdockle-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/erzz%2Fdockle-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/erzz","download_url":"https://codeload.github.com/erzz/dockle-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248819399,"owners_count":21166477,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["action","best-practice","container","docker","dockle","github-action","lint","security"],"created_at":"2025-03-27T17:58:59.526Z","updated_at":"2025-04-14T04:07:07.124Z","avatar_url":"https://github.com/erzz.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# dockle-action\nGithub Action to run Dockle and report in workflows, pipeline and PR's\n\n\n## Purpose\n\nThis action executes the excellent [Dockle](https://github.com/goodwithtech/dockle) linter for containers that will run numerous checks on an image for Best Practices and against CIS benchmarks.\n\nThe action will generate a report file of either JSON or SARIF format for upload to Github or downloading locally. It also produces the report in the stdout of the job's log.\n\nYou can set your own threshold for when to fail the job and decide whether a failure should \"break the build.\"\n\n## Available Inputs\n\n| Input               | Default             | Details                                                                                           |\n|---------------------|---------------------|---------------------------------------------------------------------------------------------------|\n| `image`             | none - mandatory!   | The image you wish to scan. e.g. `alpine:latest` or `myownregistry.com/my-team/my-image:latest`   |\n| `report-format`     | json                | The format to generate a report in. Either `json` or `sarif`                                      |\n| `report-name`       | dockle-report       | The name of the report (without a file extension as thats added automatically by report-format)   |\n| `failure-threshold` | warn                | Threshold for findings to trigger a failure of the job Options are `INFO`, `WARN`, or `FATAL`     |\n| `exit-code`         | 1                   | Change to `0` if you don't wish to \"break the build\" on findings                                  |\n| `dockle-version`    | latest              | Specify a version of Dockle to use in the format `1.2.3`, otherwise it uses the latest version    |\n| `accept-key`        | \"\"                  | Comma seperated list of acceptable keywords for credential checks e.g. `GPG_KEY,KEYCLOAK_VERSION` |\n| `accept-file`       | \"\"                  | Comma seperated list of acceptable file names for credential checks e.g. `id_rsa,id_dsa`          |\n| `accept-extension`  | \"\"                  | Comma seperated list of acceptable file extensions for credential checks e.g. `pem,log`           |\n| `timeout`           | \"10m\"               | Time allowed for the image to be pulled from the registry e.g) `5s`, `5m`...                      |\n| `token`             | ${{ github.token }} | Token used to call the GitHub API and retrive the latest dockle version                           |\n\n\n## Potential Artifacts\n\n### dockle-report.json\n\nThe default output of this job is the JSON format of the report and it is often useful for further parsing and manipulation. To upload this report to your Worflow Summary you would add the following step after the scan:\n\n```yaml\n- name: Upload Report\n  uses: actions/upload-artifact@v3\n  if: always()\n  with:\n    name: Dockle Report\n    path: dockle-report.json\n```\n\n### dockle-report.sarif\n\nIf you change `report-format` to `sarif` then it will be produced in a format compatible with [Github Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security) for integration with the UI. To upload findings to GHAS you would add the following step after the scan:\n\n```yaml\n- name: Upload SARIF file\n  uses: github/codeql-action/upload-sarif@v2\n  with:\n    # Path to SARIF file relative to the root of the repository\n    sarif_file: dockle-report.sarif\n```\n\n## Example usages\n\n### Default settings against a public image\n\nThe simplest usage with all default settings would perform a scan, with the job failing with findings of severity WARN but would not break your build.\n\n```yaml\njobs:\n  dockle:\n    name: Dockle Container Analysis\n    runs-on: ubuntu-latest\n    steps:\n      - name: Run Dockle\n        uses: erzz/dockle-action@v1\n        with:\n          image: alpine:latest\n```\n\n### Using a .dockleignore file\n\nIn this example you also want to add a [.dockleignore](https://github.com/goodwithtech/dockle#ignore-the-specified-checkpoints) file to whitelist certain findings whilst breaking the build for any finding of severity `FATAL`\n\nThe important thing to note here is you must check out your code in a preceding step in order for your `.dockleignore` file to be available.\n\n```yaml\njobs:\n  dockle:\n    name: Dockle Container Analysis\n    runs-on: ubuntu-latest\n    steps:\n       # Makes sure your .dockleignore file is available to the next step\n      - name: Checkout\n        uses: actions/checkout@v3\n\n      - name: Run Dockle\n        uses: erzz/dockle-action@v1\n        with:\n          image: alpine:latest\n          exit-code: 1\n          failure-threshold: fatal\n```\n\n### Advanced usage and private registries\n\nIn this more complex example we try to use all inputs and upload the resulting SARIF file to GHAS. It includes a rule to ignore .pem files in the credentials checks and renaming the report.\n\nThe example is also using an image from a private registry so we will add a preceding step to also authenticate with the registry before trying to pull it in the scan. The step you use will depend on your registry, in this case, its GCR.\n\n```yaml\njobs:\n  dockle:\n    name: Dockle Container Analysis\n    runs-on: ubuntu-latest\n    steps:\n       # Makes sure your .dockleignore file is available to the next step\n      - name: Checkout\n        uses: actions/checkout@v3\n\n      # Here you might use a docker login action, or something else\n      - name: Authenticate to GCP\n        uses: google-github-actions/auth@v0\n        with:\n          credentials_json: ${{ secrets.SA_JSON_KEY }}\n\n      - name: Run Dockle\n        uses: erzz/dockle-action@v1\n        with:\n          image: eu.gcr.io/my-project/my-image:v1.2.3\n          report-format: sarif\n          report-name: dockle-results\n          failure-threshold: fatal\n          exit-code: 1\n          dockle-version: 0.4.11\n          accept-extensions: pem\n\n      - name: Upload SARIF file\n        uses: github/codeql-action/upload-sarif@v2\n        with:\n          sarif_file: super-report.sarif\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferzz%2Fdockle-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ferzz%2Fdockle-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ferzz%2Fdockle-action/lists"}