Anchore
Container security and compliance platform for scanning container images and software supply chains
Open-Source Projects
Discover top open-source software, updated regularly with real-world adoption signals.
Discover top open-source software, updated regularly with real-world adoption signals.
Secure Docker images with CIS‑compliant linting made simple
Dockle scans Docker images against CIS benchmarks, flags insecure practices, and guides developers to build hardened, best‑practice containers—usable locally, in CI, or via Docker.
Dockle is a command‑line tool that inspects Docker images and evaluates them against the CIS Docker Benchmark and additional best‑practice checks. By analyzing the final image rather than the Dockerfile, it surfaces real‑world security issues such as use of ADD, exposed credentials, leftover package caches, and missing non‑root users.
The tool is aimed at developers, security engineers, and DevSecOps teams who need a fast, dependency‑free way to validate container images before they are pushed to registries or deployed. It integrates smoothly with CI systems (Travis CI, CircleCI, Jenkins, GitHub Actions, etc.) and can output results in JSON for automated processing.
Dockle can be installed via Homebrew, native OS packages (RPM, DEB, AUR), binary releases, asdf, or built from source. A Docker image is also provided for quick, no‑install testing. Once installed, a single command dockle runs the full audit, with flags to customize exit codes, ignore specific checkpoints, or save JSON reports.
When teams consider Dockle, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
CI pipeline image validation
Fail builds automatically when Dockle detects critical security violations.
Pre‑release compliance audit
Generate a JSON report to demonstrate CIS benchmark adherence for regulatory review.
Local developer security check
Run `dockle` on a newly built image to catch insecure practices before pushing.
Automated remediation guidance
Provide developers with specific checkpoint messages (e.g., replace ADD with COPY) to improve Dockerfiles.
Use Homebrew: `brew install goodwithtech/r/dockle`.
Yes, add `--format json` (or use `-f json`) to get a machine‑readable report.
Use the `--ignore` flag followed by checkpoint IDs, e.g., `--ignore CIS-DI-0009`.
A ready‑made GitHub Action is provided; it runs Dockle against the image and fails on critical findings.
Only if you scan images on the host; otherwise you can run the binary or Docker image without a local Docker daemon.
Project at a glance
StableLast synced 4 days ago
