Socket
Socket
Sign inDemoInstall

github.com/jimschubert/docked

Package Overview
Dependencies
38
Maintainers
0
Alerts
File Explorer

Install Socket

Protect your apps from supply chain attacks

Install

github.com/jimschubert/docked

Package docked provides types and functionality for analyzing and linting Dockerfiles. docked uses the Docker buildkit parser to retrieve the AST of an input Dockerfile. It also provides a simple API for defining and registering rules for processing of the AST. All in-built rules are built upon this API. See those defined under the validations package. An external YAML configuration is supported by docked.Config. The configuration allows for ignoring in-built rules, overriding priority of in-built rules, as well as defining custom rules based on the validations.SimpleRegexRule structure. Invoking docked.Docked#Analysis will use the list of in-built validation rules, and return a docked.AnalysisResult. The result should be walked programmatically to generate a report. Please see reports under the reporting package for examples. The HTML and JSON reporters under the reporter package provide implementations for use in the accompanying cli tool for use in CI/CD pipelines.

    v0.3.6

Version published
Maintainers
0

Readme

# docked

A Dockerfile linting tool which aims to pull many best practices and recommendations from multiple sources:

* OWASP
* Docker Official Documentation
* Community recommendations
* Package manager bug trackers

Check out the currently supported [rules](./RULES.md).

[![Apache 2.0 License](https://img.shields.io/badge/License-Apache%202.0-blue)](./LICENSE)
![Go Version](https://img.shields.io/github/go-mod/go-version/jimschubert/docked)
[![Go Build](https://github.com/jimschubert/docked/actions/workflows/build.yml/badge.svg)](https://github.com/jimschubert/docked/actions/workflows/build.yml)
![Docker Image Size (latest semver)](https://img.shields.io/docker/image-size/jimschubert/docked?color=orange&label=Docker%20Image%20Size)
[![Go Report Card](https://goreportcard.com/badge/github.com/jimschubert/docked)](https://goreportcard.com/report/github.com/jimschubert/docked)
<!-- [![codecov](https://codecov.io/gh/jimschubert/docked/branch/master/graph/badge.svg)](https://codecov.io/gh/jimschubert/docked) --> 

## tldr;

```
docked analyze ./Dockerfile
```

Successful Outputs:
![](./.github/screens/output.png)

Failure Outputs:
![](./.github/screens/output-failures.png)

And, it's customizable. You can ignore, re-prioritize, or add custom rules via regex. There's also JSON and [HTML](https://htmlpreview.github.io/?https://raw.githubusercontent.com/jimschubert/docked/master/.github/examples/html/index.html) outputs.

## Install

### Binaries

Latest binary releases are available via [GitHub Releases](https://github.com/jimschubert/docked/releases).

### Homebrew

```
brew install jimschubert/tap/docked
```

### Docker

```
docker pull jimschubert/docked:latest
```

When running the docker image, be sure to mount and reference the sources appropriately. For example:

### Completions

After you've installed the binary either manually or via Homebrew, consider enabling completions for your shell. 

For instructions, view help for your target shell.

#### zsh

```
docked completion zsh --help
```

#### bash

```
docked completion bash --help
```

#### fish

```
docked completion fish --help
```

#### powershell

```
docked completion powershell --help
```

## Usage

```shell
$ docked analyze --help

Analyze a Dockerfile for issues
If not provided, FILE defaults to ./Dockerfile

Usage:
  docked analyze [FILE] [flags]

Flags:
  -h, --help                   help for analyze
  -i, --ignore strings         The lint ids to ignore
  -k, --no-buildkit-warnings   Whether to suppress Docker parser warnings
      --regex-engine string    The regex engine to use (regexp, regexp2) (default "regexp2")
      --report-type string     The type of reporting output (text, json, html) (default "text")

Global Flags:
      --config string   config file (default is $HOME/.docked.yaml)
      --viper           use Viper for configuration (default true)
```

Things to consider:

* Buildkit warnings should be disabled when piping output (for example when using `--report-type json`), but this is _not forced_
* The `regexp2` engine is default because it supports full regular expression syntax. Compare differences in [regexp2's README](https://github.com/dlclark/regexp2#compare-regexp-and-regexp2). Note that `regexp2` patterns are not run in compatibility mode in docked, although that might change later.
* `viper` configuration is work-in-progress. Feel free to contribute.

## Configuration

The optional configuration file follows this example syntax:

```
ignore:
  - D7:tagged-latest
rule_overrides:
  'D5:secret-aws-access-key': low
custom_rules:
  - name: custom-name
    summary: Your custom summary
    details: Your additional rule details
    pattern: '.' # some regex pattern
    priority: critical
    command: add
```

## Build

Build a local distribution for evaluation using goreleaser (easiest).

```bash
goreleaser release --skip-publish --snapshot --rm-dist
```

This will create an executable application for your os/architecture under `dist`:

```
dist
├── docked_darwin_amd64
│   └── docked
├── docked_linux_386
│   └── docked
├── docked_linux_amd64
│   └── docked
├── docked_linux_arm64
│   └── docked
├── docked_linux_arm_6
│   └── docked
└── docked_windows_amd64
    └── docked.exe
```

Build and execute locally using go:

* Get dependencies

```shell
go get -d ./...
```

* Build

```shell
go build -o docked ./cmd/docked/
```

* Run

```shell
./docked --help
```

## License

This project is [licensed](./LICENSE) under Apache 2.0.

FAQs

Last updated on 16 Jan 2023

Did you know?

Socket installs a GitHub app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc