PickYourTechPickYourTech home
Dockle logo

Dockle

Secure Docker images with CIS‑compliant linting made simple

Container Security

Dockle scans Docker images against CIS benchmarks, flags insecure practices, and guides developers to build hardened, best‑practice containers—usable locally, in CI, or via Docker.

Dockle banner

Overview

Overview

Dockle is a command‑line tool that inspects Docker images and evaluates them against the CIS Docker Benchmark and additional best‑practice checks. By analyzing the final image rather than the Dockerfile, it surfaces real‑world security issues such as use of ADD, exposed credentials, leftover package caches, and missing non‑root users.

Who should use it

The tool is aimed at developers, security engineers, and DevSecOps teams who need a fast, dependency‑free way to validate container images before they are pushed to registries or deployed. It integrates smoothly with CI systems (Travis CI, CircleCI, Jenkins, GitHub Actions, etc.) and can output results in JSON for automated processing.

Deployment options

Dockle can be installed via Homebrew, native OS packages (RPM, DEB, AUR), binary releases, asdf, or built from source. A Docker image is also provided for quick, no‑install testing. Once installed, a single command dockle runs the full audit, with flags to customize exit codes, ignore specific checkpoints, or save JSON reports.

Highlights

CIS Benchmark compliance checks for Docker images
Zero‑runtime dependencies; single binary execution
CI/CD friendly with JSON output and exit‑code control
Multiple installation methods (Homebrew, packages, Docker, source)

Pros

  • Simple CLI – just provide an image name
  • Cross‑platform support (Linux, macOS, Windows, WSL)
  • Integrates easily into automated pipelines
  • High‑accuracy checks based on industry standards

Considerations

  • Only scans built images, not Dockerfile syntax
  • Limited to predefined checkpoints; no custom rule engine
  • May generate false positives for complex build steps
  • Does not perform deep vulnerability scanning

Managed products teams compare with

When teams consider Dockle, these hosted platforms usually appear on the same shortlist.

Anchore logo

Anchore

Container security and compliance platform for scanning container images and software supply chains

Aqua Security logo

Aqua Security

Cloud-native security platform focusing on container and Kubernetes protection from development to runtime

Sysdig logo

Sysdig

Cloud-native security and monitoring

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • DevSecOps teams enforcing container security policies
  • CI pipelines that need fast image validation
  • Developers wanting quick feedback on image hardening
  • Compliance audits requiring CIS benchmark evidence

Not ideal when

  • Runtime security monitoring of running containers
  • Scanning host operating systems or Kubernetes clusters
  • Deep CVE vulnerability analysis beyond best‑practice checks
  • Projects that require custom, user‑defined lint rules

How teams use it

CI pipeline image validation

Fail builds automatically when Dockle detects critical security violations.

Pre‑release compliance audit

Generate a JSON report to demonstrate CIS benchmark adherence for regulatory review.

Local developer security check

Run `dockle` on a newly built image to catch insecure practices before pushing.

Automated remediation guidance

Provide developers with specific checkpoint messages (e.g., replace ADD with COPY) to improve Dockerfiles.

Tech snapshot

Go99%
Dockerfile1%

Tags

kuberneteslintercontainersvulnerabilitygosecurity-toolssecurity-auditgolangsecuritydocker

Frequently asked questions

How do I install Dockle on macOS?

Use Homebrew: `brew install goodwithtech/r/dockle`.

Can Dockle output results in JSON?

Yes, add `--format json` (or use `-f json`) to get a machine‑readable report.

How can I ignore specific checkpoints?

Use the `--ignore` flag followed by checkpoint IDs, e.g., `--ignore CIS-DI-0009`.

Is Dockle suitable for GitHub Actions?

A ready‑made GitHub Action is provided; it runs Dockle against the image and fails on critical findings.

Do I need Docker installed to run Dockle?

Only if you scan images on the host; otherwise you can run the binary or Docker image without a local Docker daemon.

Project at a glance

Dormant
Visit siteView repo
Stars
3,206
Watchers
3,206
Forks
163
LicenseApache-2.0
Repo age6 years old
Last commitlast year
Primary languageGo

Last synced 2 hours ago