github.com/jimschubert/docked
github.com/jimschubert/docked
Package docked provides types and functionality for analyzing and linting Dockerfiles. docked uses the Docker buildkit parser to retrieve the AST of an input Dockerfile. It also provides a simple API for defining and registering rules for processing of the AST. All in-built rules are built upon this API. See those defined under the validations package. An external YAML configuration is supported by docked.Config. The configuration allows for ignoring in-built rules, overriding priority of in-built rules, as well as defining custom rules based on the validations.SimpleRegexRule structure. Invoking docked.Docked#Analysis will use the list of in-built validation rules, and return a docked.AnalysisResult. The result should be walked programmatically to generate a report. Please see reports under the reporting package for examples. The HTML and JSON reporters under the reporter package provide implementations for use in the accompanying cli tool for use in CI/CD pipelines.
- v0.3.6
- Version published
- Maintainers
- 0
Readme
docked
A Dockerfile linting tool which aims to pull many best practices and recommendations from multiple sources:
- OWASP
- Docker Official Documentation
- Community recommendations
- Package manager bug trackers
Check out the currently supported rules.
tldr;
docked analyze ./Dockerfile
Successful Outputs:
Failure Outputs:
And, it's customizable. You can ignore, re-prioritize, or add custom rules via regex. There's also JSON and HTML outputs.
Install
Binaries
Latest binary releases are available via GitHub Releases.
Homebrew
brew install jimschubert/tap/docked
Docker
docker pull jimschubert/docked:latest
When running the docker image, be sure to mount and reference the sources appropriately. For example:
Completions
After you've installed the binary either manually or via Homebrew, consider enabling completions for your shell.
For instructions, view help for your target shell.
zsh
docked completion zsh --help
bash
docked completion bash --help
fish
docked completion fish --help
powershell
docked completion powershell --help
Usage
$ docked analyze --help
Analyze a Dockerfile for issues
If not provided, FILE defaults to ./Dockerfile
Usage:
docked analyze [FILE] [flags]
Flags:
-h, --help help for analyze
-i, --ignore strings The lint ids to ignore
-k, --no-buildkit-warnings Whether to suppress Docker parser warnings
--regex-engine string The regex engine to use (regexp, regexp2) (default "regexp2")
--report-type string The type of reporting output (text, json, html) (default "text")
Global Flags:
--config string config file (default is $HOME/.docked.yaml)
--viper use Viper for configuration (default true)
Things to consider:
- Buildkit warnings should be disabled when piping output (for example when using
--report-type json), but this is not forced - The
regexp2engine is default because it supports full regular expression syntax. Compare differences in regexp2's README. Note thatregexp2patterns are not run in compatibility mode in docked, although that might change later. viperconfiguration is work-in-progress. Feel free to contribute.
Configuration
The optional configuration file follows this example syntax:
ignore:
- D7:tagged-latest
rule_overrides:
'D5:secret-aws-access-key': low
custom_rules:
- name: custom-name
summary: Your custom summary
details: Your additional rule details
pattern: '.' # some regex pattern
priority: critical
command: add
Build
Build a local distribution for evaluation using goreleaser (easiest).
goreleaser release --skip-publish --snapshot --rm-dist
This will create an executable application for your os/architecture under dist:
dist
├── docked_darwin_amd64
│ └── docked
├── docked_linux_386
│ └── docked
├── docked_linux_amd64
│ └── docked
├── docked_linux_arm64
│ └── docked
├── docked_linux_arm_6
│ └── docked
└── docked_windows_amd64
└── docked.exe
Build and execute locally using go:
- Get dependencies
go get -d ./...
- Build
go build -o docked ./cmd/docked/
- Run
./docked --help
License
This project is licensed under Apache 2.0.
FAQs
Package docked provides types and functionality for analyzing and linting Dockerfiles. docked uses the Docker buildkit parser to retrieve the AST of an input Dockerfile. It also provides a simple API for defining and registering rules for processing of the AST. All in-built rules are built upon this API. See those defined under the validations package. An external YAML configuration is supported by docked.Config. The configuration allows for ignoring in-built rules, overriding priority of in-built rules, as well as defining custom rules based on the validations.SimpleRegexRule structure. Invoking docked.Docked#Analysis will use the list of in-built validation rules, and return a docked.AnalysisResult. The result should be walked programmatically to generate a report. Please see reports under the reporting package for examples. The HTML and JSON reporters under the reporter package provide implementations for use in the accompanying cli tool for use in CI/CD pipelines.
We found that github.com/jimschubert/docked demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket installs a GitHub app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.