/OT-Dockerlinter

A linter designed in golang for checking Dockerfile best practices.

Primary LanguageGoApache License 2.0Apache-2.0

GitHub Super-Linter made-with-Go GitHub go.mod Go version (subdirectory of monorepo) Go Report Card Apache License GitHub release (latest by date)

OT-Dockerlinter helps you in writing a Dockerfile with best practices. This tools can be integrated with your container native CI pipeline for Dockerfile's static code analysis and reporting.

Supported Features

  • Dockefile linting and reporting in different formats like table, json
  • Integration with Jenkins(In Development Mode)
  • Cross platform support is available
  • Dockerfile best practices and recommendation

Quickstart

A quickstart guide for installing, using and managing OT-Dockerlinter.

Installation

OT-Dockerlinter installation packages can be found inside Releases

Supported Platforms:-

  • Linux and Windows Platform with supported architecture types:-
    • Amd 64
    • Arm 64
    • Amd 32
    • Arm 32

For installation on debian and redhat based system, .deb and .rpm packages can be used.

For installing on MacOS system, use brew:-

brew install ot-docker-linter

Available Options

There are help page available for ot-dockerlinter which can be called by help or --help command.

$ ot-docker-linter help
A tool for checking Dockerfile best practices.

Usage:
  ot-docker-linter [flags]
  ot-docker-linter [command]

Available Commands:
  audit       Runs ot-docker-linter audit
  help        Help about any command
  version     Prints the current version.

Flags:
  -h, --help                help for ot-docker-linter
      --log.format string   ot-docker-linter log format. (default "text")
      --log.level string    ot-docker-linter logging level. (default "info")

Use "ot-docker-linter [command] --help" for more information about a command.

Using Linter

Simply specify the path of Dockerfile

$ ot-docker-linter audit --docker.file testing/Dockerfile.testing
Output
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| LINE NUMBER |             LINE             |    CODE     |          DESCRIPTION           | SEVERITY |          FILENAME          |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 3           | WORKDIR spsp/                | DL3000      | Use absolute WORKDIR.          | Error    | testing/Dockerfile.testing |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 5           | RUN sudo apt-get update && \ | DL3001      | For some bash commands it      | Info     | testing/Dockerfile.testing |
|             |                              |             | makes no sense running them    |          |                            |
|             |                              |             | in a Docker container like     |          |                            |
|             |                              |             | `free`, `ifconfig`, `kill`,    |          |                            |
|             |                              |             | `mount`, `ps`, `service`,      |          |                            |
|             |                              |             | `shutdown`, `ssh`, `top`,      |          |                            |
|             |                              |             | `vim`.                         |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 8           | USER root                    | DL3002      | Last USER should not be root.  | Warning  | testing/Dockerfile.testing |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 5           | RUN sudo apt-get update && \ | DL3004      | Do not use sudo as it leads    | Error    | testing/Dockerfile.testing |
|             |                              |             | to unpredictable behavior. Use |          |                            |
|             |                              |             | a tool like gosu to enforce    |          |                            |
|             |                              |             | root.                          |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 1           | FROM ubuntu:latest           | DL3007      | Using latest is prone to       | Warning  | testing/Dockerfile.testing |
|             |                              |             | errors if the image will       |          |                            |
|             |                              |             | ever update. Pin the version   |          |                            |
|             |                              |             | explicitly to a release tag.   |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 5           | RUN sudo apt-get update && \ | DL3008      | Pin versions in apt            | Warning  | testing/Dockerfile.testing |
|             |                              |             | get install. Instead of        |          |                            |
|             |                              |             | `apt-get install <package>`    |          |                            |
|             |                              |             | use `apt-get install           |          |                            |
|             |                              |             | <package>=<version>`.          |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 5           | RUN sudo apt-get update && \ | DL3009      | Delete the apt-get lists after | Info     | testing/Dockerfile.testing |
|             |                              |             | installing something.          |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 5           | RUN sudo apt-get update && \ | DL3014      | Use the `-y` switch to avoid   | Warning  | testing/Dockerfile.testing |
|             |                              |             | manual input `apt-get -y       |          |                            |
|             |                              |             | install <package>`.            |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+
| 5           | RUN sudo apt-get update && \ | DL3015      | Avoid additional               | Info     | testing/Dockerfile.testing |
|             |                              |             | packages by specifying         |          |                            |
|             |                              |             | `--no-install-recommends`.     |          |                            |
+-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+

To generate results in JSON format

$ ot-docker-linter audit --docker.file testing/Dockerfile.testing -o json
JSON Output
[
  {
    "line_number": 3,
    "line": "WORKDIR spsp/",
    "code": "DL3000",
    "description": "Use absolute WORKDIR.",
    "message": "",
    "severity": "Error",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 5,
    "line": "RUN sudo apt-get update && \\",
    "code": "DL3001",
    "description": "For some bash commands it makes no sense running them in a Docker container like `free`, `ifconfig`, `kill`, `mount`, `ps`, `service`, `shutdown`, `ssh`, `top`, `vim`.",
    "message": "",
    "severity": "Info",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 8,
    "line": "USER root",
    "code": "DL3002",
    "description": "Last USER should not be root.",
    "message": "",
    "severity": "Warning",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 5,
    "line": "RUN sudo apt-get update && \\",
    "code": "DL3004",
    "description": "Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root.",
    "message": "",
    "severity": "Error",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 1,
    "line": "FROM ubuntu:latest",
    "code": "DL3007",
    "description": "Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.",
    "message": "",
    "severity": "Warning",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 5,
    "line": "RUN sudo apt-get update && \\",
    "code": "DL3008",
    "description": "Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`.",
    "message": "",
    "severity": "Warning",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 5,
    "line": "RUN sudo apt-get update && \\",
    "code": "DL3009",
    "description": "Delete the apt-get lists after installing something.",
    "message": "",
    "severity": "Info",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 5,
    "line": "RUN sudo apt-get update && \\",
    "code": "DL3014",
    "description": "Use the `-y` switch to avoid manual input `apt-get -y install <package>`.",
    "message": "",
    "severity": "Warning",
    "file": "testing/Dockerfile.testing"
  }, 
  {
    "line_number": 5,
    "line": "RUN sudo apt-get update && \\",
    "code": "DL3015",
    "description": "Avoid additional packages by specifying `--no-install-recommends`.",
    "message": "",
    "severity": "Info",
    "file": "testing/Dockerfile.testing"
  }
]

For whitelisting trusted registry, use env variables:-

export TRUSTED_REGISTRY=registry.opstree.com

Roadmap

  • Add project badges in README
  • Fixed all linters warnings
  • Add CI workflow for linter
  • Add JSON support in Jenkins warnings-ng plugin
  • Add more rules in checklist
  • Add ignore flag
  • Make JSON output pretty
  • Create a Jenkins shared library function to call it inside the Jenkinsfile

Contact

If you have any suggestion or query. Contact us at

opensource@opstree.com