Dockle is a container image linter that helps identify best practices and potential security vulnerabilities within Docker images. It scans Docker images and provides a list of suggestions and warnings, helping you improve the security and compliance of your container images.
- CIS Benchmark Checks: Dockle checks Docker images against the CIS Docker Benchmark, providing suggestions for improving security.
- Best Practices: It identifies potential issues related to best practices, such as user configuration, health check implementation, and file permissions.
- Vulnerability Detection: While Dockle focuses on configuration and best practices, it can be used in conjunction with other tools like Trivy for comprehensive vulnerability scanning.
Dockle has 5 check levels:
| LEVEL | DESCRIPTION |
|---|---|
| FATAL | Critical issues that must be addressed |
| WARN | Issues that should be reviewed and fixed if necessary |
| INFO | Informational messages about best practices |
| SKIP | Checks that were skipped because target files were not found |
| PASS | Checks that passed with no issues found |
You can find the detailed installation instructions on the Dockle GitHub page.
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock goodwithtech/dockle <image_name>brew install goodwithtech/r/dockleDownload the Dockle binary directly from the Dockle GitHub releases page and place it in your PATH.
dockle [YOUR_IMAGE_NAME]This command runs Dockle to scan the Docker image specified by [YOUR_IMAGE_NAME]. It checks for security issues and adherence to best practices.
dockle -f json -o results.json [IMAGE_NAME]This command runs Dockle on the specified Docker image ([IMAGE_NAME]) and outputs the results in JSON format to a file named results.json. The -f flag sets the output format, and -o specifies the output file.
dockle --exit-code 1 [IMAGE_NAME]By default, Dockle exits with code 0 even if there are problems. This command uses the --exit-code option to exit with a non-zero exit code if WARN or FATAL alerts are found during the scan.
dockle -i CIS-DI-0001 -i DKL-DI-0006 [IMAGE_NAME]This command runs Dockle on the specified Docker image and ignores the checks with IDs CIS-DI-0001 and DKL-DI-0006. The -i option is used to specify checks to ignore.
To authenticate Dockle with Docker Hub, set the following environment variables:
export DOCKLE_AUTH_URL=https://registry.hub.docker.com
export DOCKLE_USERNAME={DOCKERHUB_USERNAME}
export DOCKLE_PASSWORD={DOCKERHUB_PASSWORD}These commands set environment variables for Docker Hub authentication. The DOCKLE_AUTH_URL variable specifies the Docker registry URL, and DOCKLE_USERNAME and DOCKLE_PASSWORD are set to your Docker Hub username and password.
Dockle can be integrated into CI/CD pipelines to enforce container security and best practices checks as part of the build process. Here is an example using a GitHub Actions workflow:
name: CI
on: [push]
jobs:
dockle:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build Docker image
run: docker build -t my-image .
- name: Run Dockle
run: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock goodwithtech/dockle my-imageDockle is a valuable tool for improving the security and compliance of Docker images by ensuring they follow best practices and security guidelines. It can be easily integrated into development workflows, making it a crucial part of a robust DevOps security strategy.