Skip to content
All features

Dockle

Container image best-practices linter aligned to CIS Docker.

Dockle isn't a CVE scanner — it's a build-time linter. HarborGuard wires Dockle into every scan to surface the things CVE feeds miss: a Dockerfile that runs as root, a build that smuggles in a private key, an image tagged `latest`. Dockle output maps directly into the CIS Docker Benchmark control set in compliance reports.

What it scans

  • Dockerfile misconfigurations (USER, ENTRYPOINT, ADD vs COPY)
  • Embedded secrets in image layers
  • CIS Docker Benchmark Image and Container sections
  • Healthcheck presence and integrity

When to use it

  • Required for CIS Docker compliance evidence.
  • Catches misconfigurations CVE scanners ignore.
  • Ideal as a pre-merge gate alongside Trivy.

How HarborGuard runs Dockle

01

Findings auto-mapped into CIS Docker Benchmark controls.

02

Severity-mapped to the platform's unified WARN/CRITICAL scale.

03

Toggle per scan or default in /settings/scan-defaults.

Output formats

JSON, SARIF

Upstream

goodwithtech/dockle