-
Notifications
You must be signed in to change notification settings - Fork 11
/
dockerfile_rules.yaml
84 lines (82 loc) · 2.54 KB
/
dockerfile_rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
general:
ref_url_base: &ref_url_base https://docs.docker.com/reference/builder/
valid_instructions:
- FROM
- MAINTAINER
- RUN
- CMD
- EXPOSE
- ENV
- ADD
- COPY
- ENTRYPOINT
- VOLUME
- USER
- WORKDIR
- ONBUILD
instruction_regex: '(\w+)\s(.+$)'
ignore_regex: '#'
# TODO: implement multiline instructions
multiline_regex: '\$'
line_rules:
# RULE key must be uppercase, e.g. FROM
# label is an arbitrary label name
# level must be one of ['info', 'warn', 'error']
FROM:
- label: is_latest_tag
regex: latest
level: info
message: base image uses 'latest' tag
description: using the 'latest' tag may cause unpredictable builds. It is recommended that a specific tag is used in the FROM line.
reference_url: [*ref_url_base, "#from"]
- label: no_tag
regex: '^[:]'
level: warn
message: No tag is used
description: lorem ipsum tar
reference_url: [*ref_url_base, "#from"]
RUN:
- label: no_yum_clean_all
# FIXME: not working
regex: 'yum ((?!clean all).)* .+'
level: warn
message: yum clean all is not used
description: the yum cache will remain in this layer making the layer unnecessarily large
reference_url: None
- label: installing_ssh
regex: ssh
level: warn
message: installing SSH in a container is not recommended
description: Do you really need SSH in this image?
reference_url: https://github.com/jpetazzo/nsenter
global_counts:
- instruction: MAINTAINER
count: 1
level: info
message: Maintainer is not defined
description: The MAINTAINER line is useful for identifying the author in the form of MAINTAINER Joe Smith <joe.smith@example.com>
reference_url: [*ref_url_base, "#maintainer"]
- instruction: EXPOSE
count: 1
level: info
message: There is no 'EXPOSE' instruction
description: Without exposed ports how will the service of the container be accessed?
reference_url: [*ref_url_base, "#expose"]
- instruction: ENTRYPOINT
count: 1
level: info
message: There is no 'ENTRYPOINT' instruction
description: None
reference_url: [*ref_url_base, "#entrypoint"]
- instruction: CMD
count: 1
level: info
message: There is no 'CMD' instruction
description: None
reference_url: [*ref_url_base, "#cmd"]
- instruction: USER
count: 1
level: warn
message: No 'USER' instruction
description: The process(es) within the container may run as root and RUN instructions my be run as root
reference_url: [*ref_url_base, "#user"]