Dockle – Container Security Diagnostics

In this article, we will look at Dockle – a tool for checking the security of container images, which can be used to search for vulnerabilities. In addition, it can be used to check for compliance Best Practice, to make sure that the image is actually being created based on the saved command history.

Installing Dockle

Difficulties with installation utilities should not appear:

  • Installation on OSX

$ brew install goodwithtech/r/dockle
  • Installing on Linux

 curl --silent "" | 
 grep '"tag_name":' | 
 sed -E 's/.*"v([^"]+)".*/1/' 
) && rpm -ivh${VERSION}/dockle_${VERSION}_Linux-64bit.rpm

 curl --silent "" | 
 grep '"tag_name":' | 
 sed -E 's/.*"v([^"]+)".*/1/' 
) && curl -L -o dockle.deb${VERSION}/dockle_${VERSION}_Linux-64bit.deb
$ sudo dpkg -i dockle.deb && rm dockle.deb

After installing the utility, all you need to do is specify the name of the image. You don’t need to configure anything else, you don’t even need Docker.

Dockle example

Run the utility by specifying the name of the image. If there are no problems, the message will be displayed in the console PASS, and if problems or vulnerabilities are found – detailed information about them:

Let’s try to run Dockle in Docker, the screenshot shows that the utility works fine:

Key features and benefits of Dockle

  • search for vulnerabilities in images,

  • help building the correct Dockerfile,

  • easy to use, you only need to specify the name of the image,

  • support for CIS Benchmarks.

Comparison with other tools

There are many similar security diagnostic tools out there, for example Docker Bench or Hadolint. But in comparison with them, Dockle is more functional:

Using Dockle in DevSecOps

I think this short article is a good starting point to get started with Dockle. It can be easily used in CI, it will improve your pipelines in accordance with the DevSecOps concept.

The links below provide examples of how to set up CI / CD systems to work with Dockle:

Similar Posts

Leave a Reply