Scripts2026年7月18日·1 分钟阅读

Dockle — Container Image Linter for Security Best Practices

Dockle is a container image linter that checks Docker images against CIS Docker Benchmark and best-practice rules. It catches security misconfigurations, unnecessary packages, and Dockerfile anti-patterns without requiring the original Dockerfile.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Dockle Linter
直接安装命令
npx -y tokrepo@latest install de40de1f-8262-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

Dockle analyzes built container images (not Dockerfiles) to find security issues and best-practice violations. Unlike Dockerfile linters that only check build instructions, Dockle inspects the final image layers, filesystem, and metadata to catch problems that survive the build process, such as leftover secrets, unnecessary setuid binaries, and missing healthchecks.

What Dockle Does

  • Checks container images against CIS Docker Benchmark security rules
  • Detects credentials, tokens, and secrets accidentally baked into image layers
  • Identifies unnecessary setuid/setgid binaries that expand the attack surface
  • Verifies healthcheck, user, and content trust metadata is properly configured
  • Works with local images, remote registries, and tar archives

Architecture Overview

Dockle pulls or loads a container image, decompresses its layers, and runs a series of checkpoint-based analyzers against the image configuration and filesystem. Each checkpoint maps to a CIS benchmark rule or Docker best practice. Results are categorized by severity (FATAL, WARN, INFO, PASS) and output as text, JSON, or SARIF for integration with security dashboards.

Self-Hosting & Configuration

  • Install via Homebrew, apt, or download a single binary from GitHub releases
  • Run against any OCI-compatible image without needing the source Dockerfile
  • Use .dockleignore to suppress specific checkpoints for accepted risks
  • Set --exit-code 1 to fail CI pipelines on any finding above INFO level
  • Integrate with GitHub Actions, GitLab CI, or Jenkins as a scan step

Key Features

  • Scans built images, catching issues that Dockerfile linters miss
  • CIS Docker Benchmark alignment for compliance-ready reports
  • Secret detection in image layers (AWS keys, SSH keys, certificates)
  • Single binary with no runtime dependencies; runs in any CI environment
  • SARIF output for integration with GitHub Advanced Security and other platforms

Comparison with Similar Tools

  • Hadolint — Lints Dockerfiles (source); Dockle scans built images (output)
  • Trivy — Focuses on CVE vulnerability scanning; Dockle focuses on configuration best practices
  • Grype — Dependency vulnerability scanner; Dockle checks image structure and metadata
  • Docker Scout — Commercial image analysis; Dockle is free and open source
  • Snyk Container — SaaS-based; Dockle runs locally without accounts or API keys

FAQ

Q: Does Dockle find CVE vulnerabilities? A: No. Dockle focuses on configuration and best-practice issues. Use Trivy or Grype alongside Dockle for CVE scanning.

Q: Can it scan images without Docker installed? A: Yes. Dockle can pull from registries directly or scan .tar image archives without a Docker daemon.

Q: How do I suppress false positives? A: Create a .dockleignore file listing checkpoint IDs (e.g., CIS-DI-0001) to skip specific rules.

Q: Does it work with Podman images? A: Yes. Dockle works with any OCI-compatible container image regardless of the build tool.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产