A tool to lint your Dockerfiles in CI/CD pipelines using hadolint.
This tool has been written and tested using GitHub Actions but it should work out of the box with a lot of other CI/CD tools.
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
- name: Run Hadolint
run: wget --quiet -O - https://raw.githubusercontent.com/CICDToolbox/hadolint/master/pipeline.sh | bash
The following environment variables can be set in order to customise the script.
Name | Purpose | Default Value |
---|---|---|
EXCLUDE_FILES | A comma separated list of files to exclude from being scanned. You can also use regex to do pattern matching. |
Unset |
REPORT_ONLY | Generate the report but do not fail the build even if an error occurred. | False |
SHOW_ERRORS | Show the actual errors instead of just which files had errors. | True |
SHOW_SKIPPED | Show which files are being skipped. | False |
You can use any combination of the above settings.
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
- name: Run Hadolint
env:
REPORT_ONLY: true
SHOW_ERRORS: true
run: bash <(curl -s https://raw.githubusercontent.com/CICDToolbox/hadolint/master/pipeline.sh)
This is an example of the output report generated by this tool, this is the actual output from the tool running against itself.
-------------------------------------------------------------------------- Stage 1 - Parameters --
No parameters given
--------------------------------------------------------------- Stage 2 - Install Prerequisites --
[ OK ] docker pull --quiet hadolint/hadolint
------------------------------------------------------ Stage 3 - Run hadolint/hadolint (latest) --
[ OK ] tests/Dockerfile
------------------------------------------------------------------------------ Stage 4 - Report --
Total: 1, OK: 1, Failed: 0, Skipped: 0
---------------------------------------------------------------------------- Stage 5 - Complete --
Target files are identified using the following code:
[[ ${filename} =~ \Dockerfile$ ]]
There is not magic type for Dockerfiles files so file -b is of not use for identifying the files.