Cette page est affichée en anglais. Une traduction française est en cours.
ScriptsJul 18, 2026·3 min de lecture

Dockle — Container Image Linter for Security Best Practices

Dockle is a container image linter that checks Docker images against CIS Docker Benchmark and best-practice rules. It catches security misconfigurations, unnecessary packages, and Dockerfile anti-patterns without requiring the original Dockerfile.

Prêt pour agents

Installation agent prête

Cet actif peut être installé après choix du runtime, vérification du plan et exécution de la commande adaptée.

Native · 98/100Policy : autoriser
Surface agent
Tout agent MCP/CLI
Type
Skill
Installation
Single
Confiance
Confiance : Established
Point d'entrée
Dockle Linter
Commande d'installation directe
npx -y tokrepo@latest install de40de1f-8262-11f1-9bc6-00163e2b0d79 --target codex

À exécuter après confirmation du plan en dry-run.

Introduction

Dockle analyzes built container images (not Dockerfiles) to find security issues and best-practice violations. Unlike Dockerfile linters that only check build instructions, Dockle inspects the final image layers, filesystem, and metadata to catch problems that survive the build process, such as leftover secrets, unnecessary setuid binaries, and missing healthchecks.

What Dockle Does

  • Checks container images against CIS Docker Benchmark security rules
  • Detects credentials, tokens, and secrets accidentally baked into image layers
  • Identifies unnecessary setuid/setgid binaries that expand the attack surface
  • Verifies healthcheck, user, and content trust metadata is properly configured
  • Works with local images, remote registries, and tar archives

Architecture Overview

Dockle pulls or loads a container image, decompresses its layers, and runs a series of checkpoint-based analyzers against the image configuration and filesystem. Each checkpoint maps to a CIS benchmark rule or Docker best practice. Results are categorized by severity (FATAL, WARN, INFO, PASS) and output as text, JSON, or SARIF for integration with security dashboards.

Self-Hosting & Configuration

  • Install via Homebrew, apt, or download a single binary from GitHub releases
  • Run against any OCI-compatible image without needing the source Dockerfile
  • Use .dockleignore to suppress specific checkpoints for accepted risks
  • Set --exit-code 1 to fail CI pipelines on any finding above INFO level
  • Integrate with GitHub Actions, GitLab CI, or Jenkins as a scan step

Key Features

  • Scans built images, catching issues that Dockerfile linters miss
  • CIS Docker Benchmark alignment for compliance-ready reports
  • Secret detection in image layers (AWS keys, SSH keys, certificates)
  • Single binary with no runtime dependencies; runs in any CI environment
  • SARIF output for integration with GitHub Advanced Security and other platforms

Comparison with Similar Tools

  • Hadolint — Lints Dockerfiles (source); Dockle scans built images (output)
  • Trivy — Focuses on CVE vulnerability scanning; Dockle focuses on configuration best practices
  • Grype — Dependency vulnerability scanner; Dockle checks image structure and metadata
  • Docker Scout — Commercial image analysis; Dockle is free and open source
  • Snyk Container — SaaS-based; Dockle runs locally without accounts or API keys

FAQ

Q: Does Dockle find CVE vulnerabilities? A: No. Dockle focuses on configuration and best-practice issues. Use Trivy or Grype alongside Dockle for CVE scanning.

Q: Can it scan images without Docker installed? A: Yes. Dockle can pull from registries directly or scan .tar image archives without a Docker daemon.

Q: How do I suppress false positives? A: Create a .dockleignore file listing checkpoint IDs (e.g., CIS-DI-0001) to skip specific rules.

Q: Does it work with Podman images? A: Yes. Dockle works with any OCI-compatible container image regardless of the build tool.

Sources

Fil de discussion

Connectez-vous pour rejoindre la discussion.
Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires