-
Notifications
You must be signed in to change notification settings - Fork 13
/
dockerfile_rules.yaml
257 lines (257 loc) · 9.1 KB
/
dockerfile_rules.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
profile:
name: Default
description: Default Profile. Checks basic syntax.
includes: null
general:
ref_url_base: "https://docs.docker.com/engine/reference/builder/"
valid_instructions:
- FROM
- MAINTAINER
- RUN
- CMD
- LABEL
- EXPOSE
- ENV
- ADD
- COPY
- ENTRYPOINT
- VOLUME
- USER
- WORKDIR
- ONBUILD
- ARG
- STOPSIGNAL
- HEALTHCHECK
- SHELL
ignore_regex: "/^#/"
multiline_regex: "/\\\\$/"
line_rules:
ARG:
paramSyntaxRegex: /.+/
rules: []
FROM:
paramSyntaxRegex: "/^[\\w./\\-:]+(:[${}\\w.]+)?(-[${}\\w.]+)?$/"
rules:
- label: is_latest_tag
regex: /latest/
level: info
message: "base image uses 'latest' tag"
description: "using the 'latest' tag may cause unpredictable builds. It is recommended that a specific tag is used in the FROM line or *-released which is the latest supported release."
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#from"
- label: no_tag
regex: "/^[:]/"
level: info
message: No tag is used
description: lorem ipsum tar
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#from"
HEALTHCHECK:
paramSyntaxRegex: /.+/
rules: []
MAINTAINER:
paramSyntaxRegex: /.+/
rules:
- label: maintainer_deprecated
regex: /.+/
level: info
message: the MAINTAINER command is deprecated
description: MAINTAINER is deprecated in favor of using LABEL since Docker v1.13.0
reference_url:
- "https://github.com/docker/cli/blob/master/docs/deprecated.md"
- "#maintainer-in-dockerfile"
RUN:
paramSyntaxRegex: /.+/
rules:
- label: "sudo_use"
regex: /sudo/
level: info
message: "Use Of sudo Is Not Allowed"
description: "You should avoid installing or using `sudo` since it has unpredictable TTY and signal-forwarding behavior that can cause more problems than it solves."
reference_url:
- "https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/"
- label: no_yum_clean_all
regex: "/yum(?!.+clean all|.+\\.repo|-config|\\.conf)/"
level: warn
message: yum clean all is not used
description: the yum cache will remain in this layer making the layer unnecessarily large
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _clear_packaging_caches_and_temporary_package_downloads
- label: yum_update_all
regex: "/yum(.+update all|.+upgrade|.+update)/"
level: info
message: updating the entire base image may add unnecessary size to the container
description: update the entire base image may add unnecessary size to the container
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _clear_packaging_caches_and_temporary_package_downloads
- label: no_dnf_clean_all
regex: "/dnf(?!.+clean all|.+\\.repo)/g"
level: warn
message: dnf clean all is not used
description: the dnf cache will remain in this layer making the layer unnecessarily large
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _clear_packaging_caches_and_temporary_package_downloads
- label: no_rvm_cleanup_all
regex: "/rvm install(?!.+cleanup all)/g"
level: warn
message: rvm cleanup is not used
description: the rvm cache will remain in this layer making the layer unnecessarily large
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _clear_packaging_caches_and_temporary_package_downloads
- label: no_gem_clean_all
regex: "/gem install(?!.+cleanup|.+\\rvm cleanup all)/g"
level: warn
message: gem cleanup all is not used
description: the gem cache will remain in this layer making the layer unnecessarily large
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _clear_packaging_caches_and_temporary_package_downloads
- label: no_apt-get_clean
regex: "/apt-get install(?!.+clean)/g"
level: info
message: apt-get clean is not used
description: the apt-get cache will remain in this layer making the layer unnecessarily large
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _clear_packaging_caches_and_temporary_package_downloads
- label: privileged_run_container
regex: /privileged/
level: warn
message: a privileged run container is allowed access to host devices
description: Does this run need to be privileged?
reference_url:
- "http://docs.docker.com/engine/reference/run/#"
- runtime-privilege-and-linux-capabilities
- label: installing_ssh
regex: /openssh-server/
level: warn
message: installing SSH in a container is not recommended
description: Do you really need SSH in this image?
reference_url: "https://github.com/jpetazzo/nsenter"
- label: no_ampersand_usage
regex: / ; /
level: info
message: "using ; instead of &&"
description: "RUN do_1 && do_2: The ampersands change the resulting evaluation into do_1 and then do_2 only if do_1 was successful."
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- "#_using_semi_colons_vs_double_ampersands"
SHELL:
paramSyntaxRegex: /.+/
rules: []
CMD:
paramSyntaxRegex: /.+/
rules: []
LABEL:
paramSyntaxRegex: /.+/
rules: []
defined_namevals:
Name:
valueRegex: "/[\\w]+/"
message: "Label 'Name' is missing or has invalid format"
level: warn
required: true
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
Version:
valueRegex: "/[\\w.${}()\"'\\\\\\/~<>\\-?\\%:]+/"
message: "Label 'Version' is missing or has invalid format"
level: warn
required: false
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
Release:
valueRegex: "/[\\w.${}()\"'\\\\\\/~<>\\-?\\%:]+/"
message: "Label 'Release' is missing or has invalid format"
level: warn
required: false
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
Architecture:
valueRegex: "/[\\w]*[6,8][4,6]|[.]*86[.]*64/"
message: "Label 'Architecture' is missing or has invalid format: x86, i386, x86_64"
level: info
required: false
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
Vendor:
valueRegex: "/([\\w]+).+/"
message: "Label 'Vendor' is missing or has invalid format"
level: warn
required: false
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
Url:
valueRegex: "/([\\w]+).+/"
message: "Label 'Url' is missing or has invalid format"
level: warn
required: false
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
Help:
valueRegex: "/([\\w]+).+/"
message: "Label 'Help' is missing or has invalid format"
level: warn
required: false
reference_url:
- "http://docs.projectatomic.io/container-best-practices/#"
- _recommended_labels_for_your_project
EXPOSE:
paramSyntaxRegex: "/^[\\d-\\s\\w/\\\\]+$/"
rules: []
ENV:
paramSyntaxRegex: "/^[\\w-$/\\\\=\\\"[\\]{}@:,'`\\t. ]+$/"
rules: []
ADD:
paramSyntaxRegex: "/^~?([\\w-.~:/?#\\[\\]\\\\\\/*@!$&'()*+,;=.{}\"]+[\\s]*)+$/"
COPY:
paramSyntaxRegex: /.+/
rules: []
ENTRYPOINT:
paramSyntaxRegex: /.+/
rules: []
VOLUME:
paramSyntaxRegex: /.+/
rules: []
USER:
paramSyntaxRegex: "/^[a-z0-9_][a-z0-9_-]{0,40}$/"
rules: []
WORKDIR:
paramSyntaxRegex: "/^~?[\\w\\d-\\/.{}$\\/:]+[\\s]*$/"
rules: []
ONBUILD:
paramSyntaxRegex: /.+/
rules: []
required_instructions:
EXPOSE:
instruction: EXPOSE
count: 1
level: info
message: "There is no 'EXPOSE' instruction"
description: Without exposed ports how will the service of the container be accessed?
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#expose"
CMD:
instruction: CMD
count: 1
level: info
message: "There is no 'CMD' instruction"
description: None
reference_url:
- "https://docs.docker.com/engine/reference/builder/"
- "#cmd"
discouraged_instructions: []
mutually_exclusive_instructions: []