{"id":13451524,"url":"https://github.com/goodwithtech/dockle","last_synced_at":"2025-05-14T11:12:02.019Z","repository":{"id":34945141,"uuid":"188247623","full_name":"goodwithtech/dockle","owner":"goodwithtech","description":"Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start","archived":false,"fork":false,"pushed_at":"2025-01-06T06:53:22.000Z","size":6434,"stargazers_count":2889,"open_issues_count":35,"forks_count":144,"subscribers_count":22,"default_branch":"master","last_synced_at":"2025-05-06T06:28:02.219Z","etag":null,"topics":["containers","docker","go","golang","kubernetes","linter","security","security-audit","security-tools","vulnerability"],"latest_commit_sha":null,"homepage":"https://containers.goodwith.tech/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/goodwithtech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-05-23T14:14:05.000Z","updated_at":"2025-05-05T13:04:58.000Z","dependencies_parsed_at":"2023-11-07T17:09:06.803Z","dependency_job_id":"212a9628-2a42-4408-8bfc-3d83ed5ee098","html_url":"https://github.com/goodwithtech/dockle","commit_stats":{"total_commits":226,"total_committers":34,"mean_commits":6.647058823529412,"dds":"0.19469026548672563","last_synced_commit":"35c54468428cc686537854e9cb72cebf80e72b24"},"previous_names":["goodwithtech/docker-guard"],"tags_count":78,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goodwithtech%2Fdockle","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goodwithtech%2Fdockle/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goodwithtech%2Fdockle/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/goodwithtech%2Fdockle/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/goodwithtech","download_url":"https://codeload.github.com/goodwithtech/dockle/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253124242,"owners_count":21857614,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","go","golang","kubernetes","linter","security","security-audit","security-tools","vulnerability"],"created_at":"2024-07-31T07:00:55.212Z","updated_at":"2025-05-14T11:11:57.008Z","avatar_url":"https://github.com/goodwithtech.png","language":"Go","readme":"\u003cimg src=\"imgs/logo.png\" width=\"450\"\u003e\n\n[![Financial Contributors on Open Collective](https://opencollective.com/dockle/all/badge.svg?label=financial+contributors)](https://opencollective.com/dockle) [![GitHub release](https://img.shields.io/github/release/goodwithtech/dockle.svg)](https://github.com/goodwithtech/dockle/releases/latest)\n[![CircleCI](https://circleci.com/gh/goodwithtech/dockle.svg?style=svg)](https://circleci.com/gh/goodwithtech/dockle)\n[![Go Report Card](https://goreportcard.com/badge/github.com/goodwithtech/dockle)](https://goreportcard.com/report/github.com/goodwithtech/dockle)\n[![License: AGPL v3](https://img.shields.io/badge/License-AGPL%20v3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)\n\n\u003e Dockle - Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start\n\n`Dockle` helps you:\n\n1. Build [Best Practice](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) Docker images\n2. Build secure Docker images\n - Checkpoints includes [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)\n\n```bash\n$ brew untap goodwithtech/dockle # who use 0.1.16 or older version\n$ brew install goodwithtech/r/dockle\n$ dockle [YOUR_IMAGE_NAME]\n```\nSee [Installation](#installation) and [Common Examples](#common-examples)\n\n\u003cimg src=\"imgs/dockle.png\" width=\"800\"\u003e\n\n# Checkpoints Comparison\n\n\u003cimg src=\"imgs/cis-benchmark-comparison.png\" width=\"800\"\u003e\n\u003cimg src=\"imgs/original-checkpoint-comparison.png\" width=\"800\"\u003e\n\n# TOC\n\n- [Features](#features)\n- [Comparison](#comparison)\n- [Installation](#installation)\n - [Homebrew (Mac OS X / Linux and WSL)](#homebrew-mac-os-x--linux-and-wsl)\n - [RHEL/CentOS](#rhelcentos)\n - [Debian/Ubuntu](#debianubuntu)\n - [Arch Linux](#arch-linux)\n - [Windows](#windows)\n - [Microsoft PowerShell 7](#microsoft-powershell-7)\n - [Binary](#binary)\n - [asdf](#asdf)\n - [From source](#from-source)\n - [Use Docker](#use-docker)\n- [Quick Start](#quick-start)\n - [Basic](#basic)\n - [Docker](#docker)\n- [Checkpoint Summary](#checkpoint-summary)\n- [Common Examples](#common-examples)\n - [Scan an image](#scan-an-image)\n - [Scan an image file](#scan-an-image-file)\n - [Get or Save the results as JSON](#get-or-save-the-results-as-json)\n - [Specify exit code](#specify-exit-code)\n - [Specify exit level](#specify-exit-level)\n - [Ignore the specified checkpoints](#ignore-the-specified-checkpoints)\n- [Continuous Integration](#continuous-integration-ci)\n - [GitHub Action](#github-action)\n - [Travis CI](#travis-ci)\n - [CircleCI](#circleci)\n - [GitLab CI](#gitlab-ci)\n - [Authorization for Private Docker Registry](#authorization-for-private-docker-registry) \n- [Checkpoint Details](CHECKPOINT.md)\n - CIS's Docker Image Checkpoints\n - Dockle Checkpoints for Docker\n - Dockle Checkpoints for Linux\n- [Credits](#credits)\n- [Roadmap](#roadmap)\n\n# Features\n\n- Detect container's vulnerabilities\n- Helping build best-practice Dockerfile\n- Simple usage\n - Specify only the image name\n - See [Quick Start](#quick-start) and [Common Examples](#common-examples)\n- CIS Benchmarks Support\n - High accuracy\n- DevSecOps\n - Suitable for CI such as Travis CI, CircleCI, Jenkins, etc.\n - See [CI Example](#continuous-integration-ci)\n\n# Comparison\n\n|  | [Dockle](https://github.com/goodwithtech/dockle) | [Hadolint](https://github.com/hadolint/hadolint) | [Docker Bench for Security](https://github.com/docker/docker-bench-security) | [Clair](https://github.com/coreos/clair) |\n|--- |---:|---:|---:|---:|\n| Target | Image | Dockerfile | Host\u003cbr/\u003eDocker Daemon\u003cbr/\u003eImage\u003cbr/\u003eContainer Runtime | Image |\n| How to run | Binary | Binary | ShellScript | Binary |\n| Dependency | No | No | Some dependencies | No |\n| CI Suitable | ✓ | ✓ | x | x | \n| Purpose |Security Audit\u003cbr/\u003eDockerfile Lint| Dockerfile Lint | Security Audit\u003cbr/\u003eDockerfile Lint | Scan Vulnerabilities |\n\n# Installation\n\n## Homebrew (Mac OS X / Linux and WSL)\n\nYou can use Homebrew on [Mac OS X](https://brew.sh/) or [Linux and WSL (Windows Subsystem for Linux)](https://docs.brew.sh/Homebrew-on-Linux).\n\n```bash\n$ brew install goodwithtech/r/dockle\n```\n\n## RHEL/CentOS\n\n```bash\nVERSION=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/' \\\n) \u0026\u0026 rpm -ivh https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.rpm\n```\n\n## Debian/Ubuntu\n\n```bash\nVERSION=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/' \\\n) \u0026\u0026 curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.deb\n$ sudo dpkg -i dockle.deb \u0026\u0026 rm dockle.deb\n```\n## Arch Linux\ndockle can be installed from the Arch User Repository using `dockle` or `dockle-bin` package.\n```\ngit clone https://aur.archlinux.org/dockle-bin.git\ncd dockle-bin\nmakepkg -sri\n```\n## Windows\n\n```bash\nVERSION=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/' \\\n) \u0026\u0026 curl -L -o dockle.zip https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Windows-64bit.zip\n$ unzip dockle.zip \u0026\u0026 rm dockle.zip\n$ ./dockle.exe [IMAGE_NAME]\n```\n## Microsoft PowerShell 7\n```bash\nif (((Invoke-WebRequest \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\").Content) -match '\"tag_name\":\"v(?\u003cver\u003e[^\"]+)\"') {\n$VERSION=$Matches.ver \u0026\u0026\nInvoke-WebRequest \"https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Windows-64bit.zip\" -OutFile dockle.zip \u0026\u0026\nExpand-Archive dockle.zip \u0026\u0026 Remove-Item dockle.zip }\n```\n## Binary\n\nYou can get the latest version binary from [releases page](https://github.com/goodwithtech/dockle/releases/latest).\n\nDownload the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your `$PATH` (on UNIX-y systems, `/usr/local/bin` or the like).\n\n- NOTE: Make sure that it's execution bits turned on. (`chmod +x dockle`)\n\n## asdf\n\nYou can install dockle with the [asdf version manager](https://asdf-vm.com/) with this [plugin](https://github.com/mathew-fleisch/asdf-dockle), which automates the process of installing (and switching between) various versions of github release binaries. With asdf already installed, run these commands to install dockle:\n\n```bash\n# Add dockle plugin\nasdf plugin add dockle\n\n# Show all installable versions\nasdf list-all dockle\n\n# Install specific version\nasdf install dockle latest\n\n# Set a version globally (on your ~/.tool-versions file)\nasdf global dockle latest\n\n# Now dockle commands are available\ndockle --version\n```\n\n## From source\n\n```bash\n$ GO111MODULE=off go get github.com/goodwithtech/dockle/cmd/dockle\n$ cd $GOPATH/src/github.com/goodwithtech/dockle \u0026\u0026 GO111MODULE=on go build -o $GOPATH/bin/dockle cmd/dockle/main.go\n```\n\n## Use Docker\n\nThere's a [`Dockle` image on Docker Hub](https://hub.docker.com/r/goodwithtech/dockle) also. You can try `dockle` before installing the command.\n\n```\n$ VERSION=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/' \\\n) \u0026\u0026 docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n goodwithtech/dockle:v${VERSION} [YOUR_IMAGE_NAME]\n```\n\nYou only need `-v /var/run/docker.sock:/var/run/docker.sock` when you'd like to scan the image on your host machine.\n\n# Quick Start\n\n## Basic\n\nSimply specify an image name (and a tag).\n\n```bash\n$ dockle [YOUR_IMAGE_NAME]\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eResult\u003c/summary\u003e\n\n```\nFATAL - CIS-DI-0009: Use COPY instead of ADD in Dockerfile\n * Use COPY : /bin/sh -c #(nop) ADD file:81c0a803075715d1a6b4f75a29f8a01b21cc170cfc1bff6702317d1be2fe71a3 in /app/credentials.json\nFATAL - CIS-DI-0010: Do not store credential in ENVIRONMENT vars/files\n * Suspicious filename found : app/credentials.json\nFATAL - DKL-DI-0005: Clear apt-get caches\n * Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : /bin/sh -c apt-get update \u0026\u0026 apt-get install -y git\nFATAL - DKL-LI-0001: Avoid empty password\n * No password user found! username : nopasswd\nWARN - CIS-DI-0001: Create a user for the container\n * Last user should not be root\nINFO - CIS-DI-0005: Enable Content trust for Docker\n * export DOCKER_CONTENT_TRUST=1 before docker pull/build\nINFO - CIS-DI-0008: Confirm safety of setuid/setgid files\n * setuid file: app/suid.txt urw-r--r--\n * setgid file: app/gid.txt grw-r--r--\n * setuid file: usr/bin/gpasswd urwxr-xr-x\n * setgid file: usr/bin/wall grwxr-xr-x\n * setuid file: bin/su urwxr-xr-x\n * setuid file: bin/umount urwxr-xr-x\n * setuid file: bin/mount urwxr-xr-x\n * setgid file: usr/bin/ssh-agent grwxr-xr-x\n * setuid file: etc/shadow urw-r-----\n * setuid file: usr/bin/chsh urwxr-xr-x\n * setuid file: usr/bin/chfn urwxr-xr-x\n * setuid file: usr/lib/openssh/ssh-keysign urwxr-xr-x\n * setgid file: etc/passwd grw-r--r--\n * setgid file: sbin/unix_chkpwd grwxr-xr-x\n * setgid file: usr/bin/chage grwxr-xr-x\n * setuid file: usr/bin/passwd urwxr-xr-x\n * setgid file: usr/bin/expiry grwxr-xr-x\n * setuid file: usr/bin/newgrp urwxr-xr-x\nIGNORE - CIS-DI-0006: Add HEALTHCHECK instruction to the container image\n\n```\n\n\u003c/details\u003e\n\n## Docker\n\nAlso, you can use Docker to use `dockle` command as follow.\n\n```bash\n$ export DOCKLE_LATEST=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/' \\\n)\n$ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} [YOUR_IMAGE_NAME]\n```\n\n- If you'd like to scan the image on your host machine, you need to mount `docker.sock`.\n\n ```bash\n $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ...\n ```\n\n# Checkpoint Summary\n\n- Details of each checkpoint see [CHECKPOINT.md](CHECKPOINT.md)\n\n| CODE | DESCRIPTION | LEVEL[※](#level) |\n|---|---|:---:|\n| | [CIS's Docker Image Checkpoints](CHECKPOINT.md#docker-image-checkpoints) | |\n| [CIS-DI-0001](CHECKPOINT.md#cis-di-0001) | Create a user for the container | WARN |\n| [CIS-DI-0002](CHECKPOINT.md#cis-di-0002) | Use trusted base images for containers | FATAL\n| [CIS-DI-0003](CHECKPOINT.md#cis-di-0003) | Do not install unnecessary packages in the container | FATAL\n| [CIS-DI-0004](CHECKPOINT.md#cis-di-0004) | Scan and rebuild the images to include security patches | FATAL\n| [CIS-DI-0005](CHECKPOINT.md#cis-di-0005) | Enable Content trust for Docker | INFO\n| [CIS-DI-0006](CHECKPOINT.md#cis-di-0006) | Add `HEALTHCHECK` instruction to the container image | INFO\n| [CIS-DI-0007](CHECKPOINT.md#cis-di-0007) | Do not use `update` instructions alone in the Dockerfile | FATAL\n| [CIS-DI-0008](CHECKPOINT.md#cis-di-0008) | Confirm safety of `setuid` and `setgid` files | INFO\n| [CIS-DI-0009](CHECKPOINT.md#cis-di-0009) | Use `COPY` instead of `ADD` in Dockerfile | FATAL\n| [CIS-DI-0010](CHECKPOINT.md#cis-di-0010) | Do not store secrets in Dockerfiles | FATAL\n| [CIS-DI-0011](CHECKPOINT.md#cis-di-0011) | Install verified packages only | INFO\n|| [Dockle Checkpoints for Docker](CHECKPOINT.md#dockle-checkpoints-for-docker) |\n| [DKL-DI-0001](CHECKPOINT.md#dkl-di-0001) | Avoid `sudo` command | FATAL\n| [DKL-DI-0002](CHECKPOINT.md#dkl-di-0002) | Avoid sensitive directory mounting | FATAL\n| [DKL-DI-0003](CHECKPOINT.md#dkl-di-0003) | Avoid `apt-get dist-upgrade` | WARN\n| [DKL-DI-0004](CHECKPOINT.md#dkl-di-0004) | Use `apk add` with `--no-cache` | FATAL\n| [DKL-DI-0005](CHECKPOINT.md#dkl-di-0005) | Clear `apt-get` caches | FATAL\n| [DKL-DI-0006](CHECKPOINT.md#dkl-di-0006) | Avoid `latest` tag | WARN\n|| [Dockle Checkpoints for Linux](CHECKPOINT.md#dockerdockle-checkpoints-for-linux) |\n| [DKL-LI-0001](CHECKPOINT.md#dkl-li-0001) | Avoid empty password | FATAL\n| [DKL-LI-0002](CHECKPOINT.md#dkl-li-0002) | Be unique UID/GROUPs | FATAL\n| [DKL-LI-0003](CHECKPOINT.md#dkl-li-0003) | Only put necessary files | INFO\n\n## Level\n\n`Dockle` has 5 check levels.\n\n| LEVEL | DESCRIPTION |\n|:---:|---|\n| FATAL | Be practical and prudent |\n| WARN | Be practical and prudent, but limited uses (even if official images) |\n| INFO | May negatively inhibit the utility or performance |\n| SKIP | Not found target files |\n| PASS | Not found any problems |\n\n## Common Examples\n\n### Scan an image\n\nSimply specify an image name (and a tag).\n\n```bash\n$ dockle goodwithtech/test-image:v1\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eResult\u003c/summary\u003e\n\n```\nFATAL - CIS-DI-0001: Create a user for the container\n * Last user should not be root\nWARN - CIS-DI-0005: Enable Content trust for Docker\n * export DOCKER_CONTENT_TRUST=1 before docker pull/build\nFATAL - CIS-DI-0006: Add HEALTHCHECK instruction to the container image\n * not found HEALTHCHECK statement\nFATAL - CIS-DI-0007: Do not use update instructions alone in the Dockerfile\n * Use 'Always combine RUN 'apt-get update' with 'apt-get install' : /bin/sh -c apt-get update \u0026\u0026 apt-get install -y git\nFATAL - CIS-DI-0008: Remove setuid and setgid permissions in the images\n * Found setuid file: etc/passwd grw-r--r--\n * Found setuid file: usr/lib/openssh/ssh-keysign urwxr-xr-x\n * Found setuid file: app/hoge.txt ugrw-r--r--\n * Found setuid file: app/hoge.txt ugrw-r--r--\n * Found setuid file: etc/shadow urw-r-----\nFATAL - CIS-DI-0009: Use COPY instead of ADD in Dockerfile\n * Use COPY : /bin/sh -c #(nop) ADD file:81c0a803075715d1a6b4f75a29f8a01b21cc170cfc1bff6702317d1be2fe71a3 in /app/credentials.json\nFATAL - CIS-DI-0010: Do not store secrets in ENVIRONMENT variables\n * Suspicious ENV key found : MYSQL_PASSWD\nFATAL - CIS-DI-0010: Do not store secret files\n * Suspicious filename found : app/credentials.json\nPASS - DKL-DI-0001: Avoid sudo command\nFATAL - DKL-DI-0002: Avoid sensitive directory mounting\n * Avoid mounting sensitive dirs : /usr\nPASS - DKL-DI-0003: Avoid apt-get/apk/dist-upgrade\nPASS - DKL-DI-0004: Use apk add with --no-cache\nFATAL - DKL-DI-0005: Clear apt-get caches\n * Use 'apt-get clean \u0026\u0026 rm -rf /var/lib/apt/lists/*' : /bin/sh -c apt-get update \u0026\u0026 apt-get install -y git\nPASS - DKL-DI-0006: Avoid latest tag\nFATAL - DKL-LI-0001: Avoid empty password\n * No password user found! username : nopasswd\nPASS - DKL-LI-0002: Be unique UID\nPASS - DKL-LI-0002: Be unique GROUP\n```\n\u003c/details\u003e\n\n### Scan an image file\n\n```bash\n$ docker save alpine:latest -o alpine.tar\n$ dockle --input alpine.tar\n```\n\n### Get or Save the results as JSON\n\n```bash\n$ dockle -f json goodwithtech/test-image:v1\n$ dockle -f json -o results.json goodwithtech/test-image:v1\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eResult\u003c/summary\u003e\n\n```json\n{\n \"summary\": {\n \"fatal\": 6,\n \"warn\": 2,\n \"info\": 2,\n \"pass\": 7\n },\n \"details\": [\n {\n \"code\": \"CIS-DI-0001\",\n \"title\": \"Create a user for the container\",\n \"level\": \"WARN\",\n \"alerts\": [\n \"Last user should not be root\"\n ]\n },\n {\n \"code\": \"CIS-DI-0005\",\n \"title\": \"Enable Content trust for Docker\",\n \"level\": \"INFO\",\n \"alerts\": [\n \"export DOCKER_CONTENT_TRUST=1 before docker pull/build\"\n ]\n },\n {\n \"code\": \"CIS-DI-0006\",\n \"title\": \"Add HEALTHCHECK instruction to the container image\",\n \"level\": \"WARN\",\n \"alerts\": [\n \"not found HEALTHCHECK statement\"\n ]\n },\n {\n \"code\": \"CIS-DI-0008\",\n \"title\": \"Remove setuid and setgid permissions in the images\",\n \"level\": \"INFO\",\n \"alerts\": [\n \"Found setuid file: usr/lib/openssh/ssh-keysign urwxr-xr-x\"\n ]\n },\n {\n \"code\": \"CIS-DI-0009\",\n \"title\": \"Use COPY instead of ADD in Dockerfile\",\n \"level\": \"FATAL\",\n \"alerts\": [\n \"Use COPY : /bin/sh -c #(nop) ADD file:81c0a803075715d1a6b4f75a29f8a01b21cc170cfc1bff6702317d1be2fe71a3 in /app/credentials.json \"\n ]\n },\n {\n \"code\": \"CIS-DI-0010\",\n \"title\": \"Do not store secrets in ENVIRONMENT variables\",\n \"level\": \"FATAL\",\n \"alerts\": [\n \"Suspicious ENV key found : MYSQL_PASSWD\"\n ]\n },\n {\n \"code\": \"CIS-DI-0010\",\n \"title\": \"Do not store secret files\",\n \"level\": \"FATAL\",\n \"alerts\": [\n \"Suspicious filename found : app/credentials.json \"\n ]\n },\n {\n \"code\": \"DKL-DI-0002\",\n \"title\": \"Avoid sensitive directory mounting\",\n \"level\": \"FATAL\",\n \"alerts\": [\n \"Avoid mounting sensitive dirs : /usr\"\n ]\n },\n {\n \"code\": \"DKL-DI-0005\",\n \"title\": \"Clear apt-get caches\",\n \"level\": \"FATAL\",\n \"alerts\": [\n \"Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : /bin/sh -c apt-get update \\u0026\\u0026 apt-get install -y git\"\n ]\n },\n {\n \"code\": \"DKL-LI-0001\",\n \"title\": \"Avoid empty password\",\n \"level\": \"FATAL\",\n \"alerts\": [\n \"No password user found! username : nopasswd\"\n ]\n }\n ]\n}\n```\n\n\u003c/details\u003e\n\n### Get or Save the results as SARIF\n\n```bash\n$ dockle -f sarif goodwithtech/test-image:v1\n$ dockle -f sarif -o results.json goodwithtech/test-image:v1\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eResult\u003c/summary\u003e\n\n```json\n{\n \"version\": \"2.1.0\",\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"name\": \"Dockle\",\n \"informationUri\": \"https://github.com/goodwithtech/dockle\",\n \"rules\": [\n {\n \"id\": \"CIS-DI-0009\",\n \"shortDescription\": {\n \"text\": \"Use COPY instead of ADD in Dockerfile\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0009\"\n }\n },\n {\n \"id\": \"CIS-DI-0010\",\n \"shortDescription\": {\n \"text\": \"Do not store credential in ENVIRONMENT vars/files\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0010\"\n }\n },\n {\n \"id\": \"DKL-DI-0005\",\n \"shortDescription\": {\n \"text\": \"Clear apt-get caches\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#DKL-DI-0005\"\n }\n },\n {\n \"id\": \"DKL-LI-0001\",\n \"shortDescription\": {\n \"text\": \"Avoid empty password\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#DKL-LI-0001\"\n }\n },\n {\n \"id\": \"CIS-DI-0005\",\n \"shortDescription\": {\n \"text\": \"Enable Content trust for Docker\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0005\"\n }\n },\n {\n \"id\": \"CIS-DI-0008\",\n \"shortDescription\": {\n \"text\": \"Confirm safety of setuid/setgid files\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0008\"\n }\n },\n {\n \"id\": \"CIS-DI-0001\",\n \"shortDescription\": {\n \"text\": \"Create a user for the container\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0001\"\n }\n },\n {\n \"id\": \"CIS-DI-0006\",\n \"shortDescription\": {\n \"text\": \"Add HEALTHCHECK instruction to the container image\"\n },\n \"help\": {\n \"text\": \"https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#CIS-DI-0006\"\n }\n }\n ]\n }\n },\n \"results\": [\n {\n \"ruleId\": \"CIS-DI-0009\",\n \"level\": \"error\",\n \"message\": {\n \"text\": \"Use COPY : /bin/sh -c #(nop) ADD file:81c0a803075715d1a6b4f75a29f8a01b21cc170cfc1bff6702317d1be2fe71a3 in /app/credentials.json \"\n }\n },\n {\n \"ruleId\": \"CIS-DI-0010\",\n \"level\": \"error\",\n \"message\": {\n \"text\": \"Suspicious filename found : app/credentials.json , Suspicious ENV key found : MYSQL_PASSWD\"\n }\n },\n {\n \"ruleId\": \"DKL-DI-0005\",\n \"level\": \"error\",\n \"message\": {\n \"text\": \"Use 'rm -rf /var/lib/apt/lists' after 'apt-get install' : /bin/sh -c apt-get update \\u0026\\u0026 apt-get install -y git\"\n }\n },\n {\n \"ruleId\": \"DKL-LI-0001\",\n \"level\": \"error\",\n \"message\": {\n \"text\": \"No password user found! username : nopasswd\"\n }\n },\n {\n \"ruleId\": \"CIS-DI-0005\",\n \"level\": \"note\",\n \"message\": {\n \"text\": \"export DOCKER_CONTENT_TRUST=1 before docker pull/build\"\n }\n },\n {\n \"ruleId\": \"CIS-DI-0008\",\n \"level\": \"note\",\n \"message\": {\n \"text\": \"setuid file: urwxr-xr-x usr/bin/newgrp, setgid file: grwxr-xr-x usr/bin/ssh-agent, setgid file: grwxr-xr-x usr/bin/expiry, setuid file: urwxr-xr-x usr/lib/openssh/ssh-keysign, setuid file: urwxr-xr-x bin/umount, setgid file: grwxr-xr-x usr/bin/chage, setuid file: urwxr-xr-x usr/bin/passwd, setgid file: grwxr-xr-x sbin/unix_chkpwd, setuid file: urwxr-xr-x usr/bin/chsh, setgid file: grwxr-xr-x usr/bin/wall, setuid file: urwxr-xr-x bin/ping, setuid file: urwxr-xr-x bin/su, setuid file: urwxr-xr-x usr/bin/chfn, setuid file: urwxr-xr-x usr/bin/gpasswd, setuid file: urwxr-xr-x bin/mount\"\n }\n },\n {\n \"ruleId\": \"CIS-DI-0001\",\n \"level\": \"none\",\n \"message\": {\n \"text\": \"Last user should not be root\"\n }\n },\n {\n \"ruleId\": \"CIS-DI-0006\",\n \"level\": \"none\",\n \"message\": {\n \"text\": \"not found HEALTHCHECK statement\"\n }\n }\n ]\n }\n ]\n}\n```\n\u003c/details\u003e\n\n### Specify exit code\n\nBy default, `Dockle` exits with code `0` even if there are some problems.\n\nUse the `--exit-code, -c` option to exit with a non-zero exit code if `WARN` or `FATAL` alert were found.\n\n```bash\n$ dockle --exit-code 1 [IMAGE_NAME]\n```\n\n### Specify exit level\n\nBy default, `--exit-code` run when there are `WARN` or `FATAL` level alerts.\n\nUse the `--exit-level, -l` option to change alert level. You can set `info`, `warn` or `fatal`.\n\n```bash\n$ dockle --exit-code 1 --exit-level info [IMAGE_NAME]\n$ dockle --exit-code 1 --exit-level fatal [IMAGE_NAME]\n```\n\n### Ignore the specified checkpoints\n\nThe `--ignore, -i` option can ignore specified checkpoints.\n\n```bash\n$ dockle -i CIS-DI-0001 -i DKL-DI-0006 [IMAGE_NAME]\n```\n\nOr, use `DOCKLE_IGNORES`:\n\n```\nexport DOCKLE_IGNORES=CIS-DI-0001,DKL-DI-0006\ndockle [IMAGE_NAME]\n```\n\nOr, use `.dockleignore` file:\n\n```bash\n$ cat .dockleignore\n# set root to default user because we want to run nginx\nCIS-DI-0001\n# Use latest tag because to check the image inside only\nDKL-DI-0006\n```\n\n### Accept suspicious `environment variables` / `files` / `file extensions`\n\n```bash\n# --accept-key value, --ak value You can add acceptable keywords.\ndockle -ak GPG_KEY -ak KEYCLOAK_VERSION [IMAGE_NAME]\nor DOCKLE_ACCEPT_KEYS=GPG_KEY,KEYCLOAK_VERSION dockle [IMAGE_NAME]\n\n# --accept-file value, --af value You can add acceptable file names.\ndockle -af id_rsa -af id_dsa [IMAGE_NAME]\nor DOCKLE_ACCEPT_FILES=id_rsa,id_dsa dockle [IMAGE_NAME]\n\n# --accept-file-extension value, --ae value You can add acceptable file extensions.\ndockle -ae pem -ae log [IMAGE_NAME]\nor DOCKLE_ACCEPT_FILE_EXTENSIONS=pem,log dockle [IMAGE_NAME]\n```\n\n### Reject suspicious `environment variables` / `files` / `file extensions`\n\n```bash\n# --sensitive-word value, --sw value You can add acceptable keywords.\ndockle -sw PRIVATE [IMAGE_NAME]\nor DOCKLE_ACCEPT_KEYS=GPG_KEY,KEYCLOAK_VERSION dockle [IMAGE_NAME]\n\n# --sensitive-file value, --sf value You can add acceptable file names.\ndockle -sf .env [IMAGE_NAME]\nor DOCKLE_REJECT_FILES=.env dockle [IMAGE_NAME]\n\n# --sensitive-file-extension value, --se value You can add acceptable file extensions.\ndockle -se pfx [IMAGE_NAME]\nor DOCKLE_REJECT_FILE_EXTENSIONS=pfx dockle [IMAGE_NAME]\n```\n\n## Continuous Integration (CI)\n\nYou can scan your built image with `Dockle` in Travis CI/CircleCI.\n\nIn these examples, the test will fail with if any warnings were found.\n\nThough, you can ignore the specified target checkpoints by using `.dockleignore` file.\n\nOr, if you just want the results to display and not let the test fail for this, specify `--exit-code` to `0` in `dockle` command.\n\n### GitHub Action\n\nWe provide [goodwithtech/dockle-action](https://github.com/goodwithtech/dockle-action).\n\n```yaml\n- uses: goodwithtech/dockle-action@main\n with:\n image: 'target'\n format: 'list'\n exit-code: '1'\n exit-level: 'warn'\n ignore: 'CIS-DI-0001,DKL-DI-0006'\n```\n\n\n### Travis CI\n\n\u003cdetails\u003e\n\u003csummary\u003e.travis.yml\u003c/summary\u003e\n\n```yaml\nservices:\n - docker\n\nenv:\n global:\n - COMMIT=${TRAVIS_COMMIT::8}\n\nbefore_install:\n - docker build -t dockle-ci-test:${COMMIT} .\n - export VERSION=$(curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\\1/')\n - wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz\n - tar zxvf dockle_${VERSION}_Linux-64bit.tar.gz\nscript:\n - ./dockle dockle-ci-test:${COMMIT}\n - ./dockle --exit-code 1 dockle-ci-test:${COMMIT}\n```\n\u003c/details\u003e\n\n- Example: https://travis-ci.org/goodwithtech/dockle-ci-test\n- Repository: https://github.com/goodwithtech/dockle-ci-test\n\n### CircleCI\n\n\u003cdetails\u003e\n\u003csummary\u003e.circleci/config.yml\u003c/summary\u003e\n\n```yaml\njobs:\n build:\n docker:\n - image: docker:18.09-git\n steps:\n - checkout\n - setup_remote_docker\n - run:\n name: Build image\n command: docker build -t dockle-ci-test:${CIRCLE_SHA1} .\n - run:\n name: Install dockle\n command: |\n apk add --update curl\n VERSION=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/'\n )\n wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz\n tar zxvf dockle_${VERSION}_Linux-64bit.tar.gz\n mv dockle /usr/local/bin\n - run:\n name: Scan the local image with dockle\n command: dockle --exit-code 1 dockle-ci-test:${CIRCLE_SHA1}\nworkflows:\n version: 2\n release:\n jobs:\n - build\n```\n\u003c/details\u003e\n\n- Example: https://circleci.com/gh/goodwithtech/dockle-ci-test\n- Repository: https://github.com/goodwithtech/dockle-ci-test\n\n## GitLab CI\n\n\u003cdetails\u003e\n\u003csummary\u003e.gitlab-ci.yml\u003c/summary\u003e\n\n```yaml\nimage: docker:stable\nstages:\n - test\n\nvariables:\n DOCKER_HOST: tcp://docker:2375/\n DOCKER_DRIVER: overlay2\nservices:\n - docker:dind\n\nunit_test:\n stage: test\n before_script:\n - apk -Uuv add bash git curl tar sed grep\n script:\n - docker build -t dockle-ci-test:${CI_COMMIT_SHORT_SHA} .\n - |\n VERSION=$(\n curl --silent \"https://api.github.com/repos/goodwithtech/dockle/releases/latest\" | \\\n grep '\"tag_name\":' | \\\n sed -E 's/.*\"v([^\"]+)\".*/\\1/' \\\n ) \u0026\u0026 curl -L -o dockle.tar.gz https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz \u0026\u0026 \\\n tar zxvf dockle.tar.gz\n - ./dockle --exit-code 1 dockle-ci-test:${CI_COMMIT_SHORT_SHA}\n```\n\u003c/details\u003e\n\n- Example: https://gitlab.com/tomoyamachi/dockle-ci-test/-/jobs/238215077\n- Repository: https://github.com/goodwithtech/dockle-ci-test\n\n## Authorization for Private Docker Registry\n\n`Dockle` can download images from a private registry, without installing `Docker` or any other 3rd party tools. It's designed so for ease of use in a CI process.\n\nAll you have to do is: install `Dockle` and set ENVIRONMENT variables.\n\n- NOTE: I don't recommend using ENV vars in your local machine.\n\n### Docker Hub\n\nTo download the private repository from Docker Hub, you need to set `DOCKLE_AUTH_URL`, `DOCKLE_USERNAME` and `DOCKLE_PASSWORD` ENV vars.\n\n\n```bash\nexport DOCKLE_AUTH_URL=https://registry.hub.docker.com\nexport DOCKLE_USERNAME={DOCKERHUB_USERNAME}\nexport DOCKLE_PASSWORD={DOCKERHUB_PASSWORD}\n```\n\n- NOTE: You don't need to set ENV vars when downloading from the public repository.\n\n### Amazon ECR (Elastic Container Registry)\n\n`Dockle` uses the AWS SDK. You don't need to install `aws` CLI tool.\n\nUse [AWS CLI's ENVIRONMENT variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).\n\n```bash\nexport AWS_ACCESS_KEY_ID={AWS ACCESS KEY}\nexport AWS_SECRET_ACCESS_KEY={SECRET KEY}\nexport AWS_DEFAULT_REGION={AWS REGION}\n```\n\n### GCR (Google Container Registry)\n\n`Dockle` uses the Google Cloud SDK. So, you don't need to install `gcloud` command.\n\nIf you'd like to use the target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.\n\n```bash\n# must set DOCKLE_USERNAME empty char\nexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json\n```\n\n### Self Hosted Registry (BasicAuth)\n\nBasicAuth server needs `DOCKLE_USERNAME` and `DOCKLE_PASSWORD`.\n\n```bash\nexport DOCKLE_USERNAME={USERNAME}\nexport DOCKLE_PASSWORD={PASSWORD}\n\n# if you'd like to use 80 port, use NonSSL\nexport DOCKLE_NON_SSL=true\n```\n\n## Contributors\n\n### Code Contributors\n\nThis project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].\n\u003ca href=\"https://github.com/goodwithtech/dockle/graphs/contributors\"\u003e\u003cimg src=\"https://opencollective.com/dockle/contributors.svg?width=890\u0026button=false\" /\u003e\u003c/a\u003e\n\n### Financial Contributors\n\nBecome a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/dockle/contribute)]\n\n#### Individuals\n\n\u003ca href=\"https://opencollective.com/dockle\"\u003e\u003cimg src=\"https://opencollective.com/dockle/individuals.svg?width=890\"\u003e\u003c/a\u003e\n\n#### Organizations\n\nSupport this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/dockle/contribute)]\n\n\u003ca href=\"https://www.tines.com/?utm_source=oss\u0026utm_medium=sponsorship\u0026utm_campaign=dockle\"\u003e\u003cimg src=\"imgs/tines.png\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/1/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/1/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/2/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/2/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/3/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/3/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/4/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/4/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/5/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/5/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/6/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/6/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/7/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/7/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/8/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/8/avatar.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://opencollective.com/dockle/organization/9/website\"\u003e\u003cimg src=\"https://opencollective.com/dockle/organization/9/avatar.svg\"\u003e\u003c/a\u003e\n\n# License\n\n- Apache License 2.0\n\n\n# Author\n\n[@tomoyamachi](https://github.com/tomoyamachi) (Tomoya Amachi)\n\nSpecial Thanks to [@knqyf263](https://github.com/knqyf263) (Teppei Fukuda) and [Trivy](https://github.com/knqyf263/trivy)\n","funding_links":["https://opencollective.com/dockle","https://opencollective.com/dockle/contribute","https://opencollective.com/dockle/organization/1/website","https://opencollective.com/dockle/organization/2/website","https://opencollective.com/dockle/organization/3/website","https://opencollective.com/dockle/organization/4/website","https://opencollective.com/dockle/organization/5/website","https://opencollective.com/dockle/organization/6/website","https://opencollective.com/dockle/organization/7/website","https://opencollective.com/dockle/organization/8/website","https://opencollective.com/dockle/organization/9/website"],"categories":["Go","Docker","Security","Containers","Tools","文章","工具","vulnerability","Инструменты","security-tools","Repositories","Other","容器管理与运维 (Container Operations)","Point-of-use validations","Container Security"],"sub_categories":["Snippets Manager","Threat modelling","Others","其他工具","Проверка Docker / Kubernetes на соответствие","A11y Chrome extensions","安全 (Security)","Vulnerability information exchange","Image Scanning"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoodwithtech%2Fdockle","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoodwithtech%2Fdockle","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoodwithtech%2Fdockle/lists"}