Container image linter that checks images against best practices and CIS Benchmarks
- Stars3.3k
- Forks163
- Open Issues42
Apache-2.0
- Go
- Dockerfile
About Dockle
Dockle is a command-line linter for container images. It flags Dockerfile and image issues so you can build images that follow best practices and security checks, including CIS Benchmarks.
Dockle scans images by name or from an image file, outputs SARIF, and can exit non-zero when WARN or FATAL alerts appear. Checkpoints cover trusted base images, unnecessary packages, secrets baked into images, avoiding sudo, and rejecting suspicious environment variables, files, and extensions.
A single static binary handles the work, with no runtime dependencies, and it can read private Docker registries through environment variables without extra tooling. Installation options include Homebrew, Linux packages, Windows, and an asdf plugin, and it fits cleanly into CI pipelines.
Key features
- Scans images by name or from an image file
- CIS Benchmark checkpoints for image hardening
- SARIF output and configurable non-zero exit code
- Flags suspicious environment variables, files, and extensions
- Reads private Docker registries via environment variables
Details
- First released
- 2019
- Latest release
- v0.4.15
- Platforms
- CLI · Docker
- Scan target
- Container images
- Output
- SARIF · JSON
- Registry access
- Private registries via ENV vars