Dockerlinter - A simple golang tool for linting of Dockerfile
A simple golang tool which audits your Dockerfile with Best Practices and generates a HTML report. The main goal of creating this tool is to provide easy, fast and reliable linting of Dockerfile.
Right now we are supporting below OS:-
- Windows
- Linux
Requirments
The requirements for using this tools are:-
Golang
- If you want to do development
Docker
- If you are running Dockerized Setup
Overview
Dockerlinter will check the Dockerfile for best practices and generate report according to it.
Things you should know about Dockerlinter:-
- Dockerlinter only checks the best practices of Dockerfile, It doesn’t format it.
- For development golang 1.9+ versions are supported.
The folder structure is something like this:-
dockerlinter ---> Main codebase for Dockerlinter
├── cmd ---> Contains main.go which is the entrypoint of the dockerlinter
├── Dockerfile ---> Dockerfile for dockerization of linting utility
├── example ---> Some example Dockerfiles for testing
├── LICENSE ---> Apache-2.0 License for this linter
├── linter ---> Contains rules for dockerlinter
├── main.go ---> The main.go file which will call other modules
├── Makefile ---> Makefile for ease of the development
├── README.md ---> README have all the information about this linter
├── reports ---> Report generation code for linter
└── static ---> Static files like images etc.
Parameters
Here is the list of parameters which is accepted by this tool.
| Parameter | Supported Values | Description |
|---|---|---|
| –ignore | code Ex:- dl3000 | Provide the rule code which you want to ignore |
| –version | - | It will print the version of dockerlinter. |
Getting Started
Compiling binary
git clone https://github.com/iamabhishek-dubey/dockerlinter.git
cd dockerlinter
make get-depends
make build-code
Using existing release
## For linux
wget https://github.com/iamabhishek-dubey/dockerlinter/releases/download/v0.0.2/dockerlinter-0.0.2-linux-amd64.tar.gz
tar -xvzf dockerlinter-0.0.2-linux-amd64.tar.gz
## For Windows
wget https://github.com/iamabhishek-dubey/dockerlinter/releases/download/v0.0.2/dockerlinter-0.0.2-windows-amd64.tar.gz
tar -xvzf dockerlinter-0.0.2-windows-amd64.tar.gz
Dockerized Setup
Steps for Dockerized Setup
make build-image
docker run -itd --name docker-linter docker-linter:latest
Running dockerlinter
After running setup, you just need to execute a simple binary. For example:-
dockerlinter Dockerfile
Example Reports
We are generating reports in two ways one is HTML and other one is Table.
- Table Report
+-------------+--------------------------------+-----------+--------------------------------+
| LINE NUMBER | LINE | RULE CODE | DESCRIPTION |
+-------------+--------------------------------+-----------+--------------------------------+
| 1 | FROM alpine:latest | DL3007 | Using latest is prone to |
| | | | errors if the image will |
| | | | ever update. Pin the version |
| | | | explicitly to a release tag. |
+-------------+--------------------------------+-----------+--------------------------------+
| 11 | RUN apk update && \ | DL3018 | Pin versions in apk add. |
| | | | Instead of `apk add package` |
| | | | use `apk add package=version`. |
+-------------+--------------------------------+-----------+--------------------------------+
| 11 | RUN apk update && \ | DL3019 | Use the `--no-cache` switch |
| | | | to avoid the need to use |
| | | | `--update` and remove |
| | | | `/var/cache/apk/*` when done |
| | | | installing packages. |
+-------------+--------------------------------+-----------+--------------------------------+
| 3 | MAINTAINER Abhishek Dubey | DL4000 | MAINTAINER is deprecated. |
| | <abhishek.dubey@opstree.com> | | |
+-------------+--------------------------------+-----------+--------------------------------+
- HTML Report
Rules
For rules, we have taken the refrence from hadolint. Here is the list of rules which we are implementing:-
| Rule | Description |
|---|---|
| DL3000 | Use absolute WORKDIR. |
| DL3001 | For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig. |
| DL3002 | Last user should not be root. |
| DL3003 | Use WORKDIR to switch to a directory. |
| DL3004 | Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root. |
| DL3005 | Do not use apt-get upgrade or dist-upgrade. |
| DL3006 | Always tag the version of an image explicitly. |
| DL3007 | Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag. |
| DL3008 | Pin versions in apt-get install. |
| DL3009 | Delete the apt-get lists after installing something. |
| DL3010 | Use ADD for extracting archives into an image. |
| DL3011 | Valid UNIX ports range from 0 to 65535. |
| DL3012 | Provide an email address or URL as maintainer. |
| DL3013 | Pin versions in pip. |
| DL3014 | Use the -y switch. |
| DL3015 | Avoid additional packages by specifying –no-install-recommends. |
| DL3016 | Pin versions in npm. |
| DL3017 | Do not use apk upgrade. |
| DL3018 | Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>. |
| DL3019 | Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages. |
| DL3020 | Use COPY instead of ADD for files and folders. |
| DL3021 | COPY with more than 2 arguments requires the last argument to end with / |
| DL3022 | COPY --from should reference a previously defined FROM alias |
| DL3023 | COPY --from cannot reference its own FROM alias |
| DL3024 | FROM aliases (stage names) must be unique |
| DL3025 | Use arguments JSON notation for CMD and ENTRYPOINT arguments |
| DL3026 | Use only an allowed registry in the FROM image |
| DL4000 | MAINTAINER is deprecated. |
| DL4001 | Either use Wget or Curl but not both. |
| DL4003 | Multiple CMD instructions found. |
| DL4004 | Multiple ENTRYPOINT instructions found. |
| DL4005 | Use SHELL to change the default shell. |
| DL4006 | Set the SHELL option -o pipefail before RUN with a pipe in it |
Todo
- Remove temporary files
- Publish table output on terminal
- Add more linting rules