Docker>> OT-Dockerlinter>> 返回
项目作者: opstree

项目描述 :
A linter designed in golang for checking Dockerfile best practices.
高级语言: Go
项目地址: git://github.com/opstree/OT-Dockerlinter.git
创建时间: 2020-11-12T16:38:16Z
项目社区:https://github.com/opstree/OT-Dockerlinter
开源协议:Apache License 2.0
下载




GitHub Super-Linter
made-with-Go
GitHub go.mod Go version (subdirectory of monorepo)
Go Report Card
Apache License
GitHub release (latest by date)

OT-Dockerlinter helps you in writing a Dockerfile with best practices. This tools can be integrated with your container native CI pipeline for Dockerfile’s static code analysis and reporting.

Supported Features

  • Dockefile linting and reporting in different formats like table, json
  • Integration with Jenkins(In Development Mode)
  • Cross platform support is available
  • Dockerfile best practices and recommendation

Quickstart

A quickstart guide for installing, using and managing OT-Dockerlinter.

Installation

OT-Dockerlinter installation packages can be found inside Releases

Supported Platforms:-

  • Linux and Windows Platform with supported architecture types:-
    • Amd 64
    • Arm 64
    • Amd 32
    • Arm 32

For installation on debian and redhat based system, .deb and .rpm packages can be used.

For installing on MacOS system, use brew:-

  1. brew install ot-docker-linter

Available Options

There are help page available for ot-dockerlinter which can be called by help or --help command.

  1. $ ot-docker-linter help
  2. A tool for checking Dockerfile best practices.
  4. Usage:
  5.   ot-docker-linter [flags]
  6.   ot-docker-linter [command]
  8. Available Commands:
  9.   audit       Runs ot-docker-linter audit
  10.   help        Help about any command
  11.   version     Prints the current version.
  13. Flags:
  14.   -h, --help                help for ot-docker-linter
  15.       --log.format string   ot-docker-linter log format. (default "text")
  16.       --log.level string    ot-docker-linter logging level. (default "info")
  18. Use "ot-docker-linter [command] --help" for more information about a command.

Using Linter

Simply specify the path of Dockerfile

  1. $ ot-docker-linter audit --docker.file testing/Dockerfile.testing

Output

shell +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | LINE NUMBER | LINE | CODE | DESCRIPTION | SEVERITY | FILENAME | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 3 | WORKDIR spsp/ | DL3000 | Use absolute WORKDIR. | Error | testing/Dockerfile.testing | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 5 | RUN sudo apt-get update && \ | DL3001 | For some bash commands it | Info | testing/Dockerfile.testing | | | | | makes no sense running them | | | | | | | in a Docker container like | | | | | | | `free`, `ifconfig`, `kill`, | | | | | | | `mount`, `ps`, `service`, | | | | | | | `shutdown`, `ssh`, `top`, | | | | | | | `vim`. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 8 | USER root | DL3002 | Last USER should not be root. | Warning | testing/Dockerfile.testing | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 5 | RUN sudo apt-get update && \ | DL3004 | Do not use sudo as it leads | Error | testing/Dockerfile.testing | | | | | to unpredictable behavior. Use | | | | | | | a tool like gosu to enforce | | | | | | | root. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 1 | FROM ubuntu:latest | DL3007 | Using latest is prone to | Warning | testing/Dockerfile.testing | | | | | errors if the image will | | | | | | | ever update. Pin the version | | | | | | | explicitly to a release tag. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 5 | RUN sudo apt-get update && \ | DL3008 | Pin versions in apt | Warning | testing/Dockerfile.testing | | | | | get install. Instead of | | | | | | | `apt-get install <package>` | | | | | | | use `apt-get install | | | | | | | <package>=<version>`. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 5 | RUN sudo apt-get update && \ | DL3009 | Delete the apt-get lists after | Info | testing/Dockerfile.testing | | | | | installing something. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 5 | RUN sudo apt-get update && \ | DL3014 | Use the `-y` switch to avoid | Warning | testing/Dockerfile.testing | | | | | manual input `apt-get -y | | | | | | | install <package>`. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+ | 5 | RUN sudo apt-get update && \ | DL3015 | Avoid additional | Info | testing/Dockerfile.testing | | | | | packages by specifying | | | | | | | `--no-install-recommends`. | | | +-------------+------------------------------+-------------+--------------------------------+----------+----------------------------+

To generate results in JSON format

  1. $ ot-docker-linter audit --docker.file testing/Dockerfile.testing -o json

JSON Output

json [ { "line_number": 3, "line": "WORKDIR spsp/", "code": "DL3000", "description": "Use absolute WORKDIR.", "message": "", "severity": "Error", "file": "testing/Dockerfile.testing" }, { "line_number": 5, "line": "RUN sudo apt-get update && \\", "code": "DL3001", "description": "For some bash commands it makes no sense running them in a Docker container like `free`, `ifconfig`, `kill`, `mount`, `ps`, `service`, `shutdown`, `ssh`, `top`, `vim`.", "message": "", "severity": "Info", "file": "testing/Dockerfile.testing" }, { "line_number": 8, "line": "USER root", "code": "DL3002", "description": "Last USER should not be root.", "message": "", "severity": "Warning", "file": "testing/Dockerfile.testing" }, { "line_number": 5, "line": "RUN sudo apt-get update && \\", "code": "DL3004", "description": "Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root.", "message": "", "severity": "Error", "file": "testing/Dockerfile.testing" }, { "line_number": 1, "line": "FROM ubuntu:latest", "code": "DL3007", "description": "Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.", "message": "", "severity": "Warning", "file": "testing/Dockerfile.testing" }, { "line_number": 5, "line": "RUN sudo apt-get update && \\", "code": "DL3008", "description": "Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`.", "message": "", "severity": "Warning", "file": "testing/Dockerfile.testing" }, { "line_number": 5, "line": "RUN sudo apt-get update && \\", "code": "DL3009", "description": "Delete the apt-get lists after installing something.", "message": "", "severity": "Info", "file": "testing/Dockerfile.testing" }, { "line_number": 5, "line": "RUN sudo apt-get update && \\", "code": "DL3014", "description": "Use the `-y` switch to avoid manual input `apt-get -y install <package>`.", "message": "", "severity": "Warning", "file": "testing/Dockerfile.testing" }, { "line_number": 5, "line": "RUN sudo apt-get update && \\", "code": "DL3015", "description": "Avoid additional packages by specifying `--no-install-recommends`.", "message": "", "severity": "Info", "file": "testing/Dockerfile.testing" } ]

For whitelisting trusted registry, use env variables:-

  1. export TRUSTED_REGISTRY=registry.opstree.com

Roadmap

  • [X] Add project badges in README
  • [X] Fixed all linters warnings
  • [X] Add CI workflow for linter
  • Add JSON support in Jenkins warnings-ng plugin
  • [X] Add more rules in checklist
  • Add ignore flag
  • [X] Make JSON output pretty
  • Create a Jenkins shared library function to call it inside the Jenkinsfile

Contact

If you have any suggestion or query. Contact us at

opensource@opstree.com