Dockle
Apache-2.0๐ฆ Container Security ยท Go
Dockle is a container image linter for security, helping build the best practice Docker/OCI image. It checks built container images for security issues and best practice violations based on the CIS Docker Benchmark and additional security checks. Unlike Dockerfile linters that only analyze the build instructions, Dockle inspects the actual built image, catching issues like credentials left in image layers, unnecessary setuid/setgid binaries, missing USER directives (running as root), writable executables, and unused environment variables containing secrets. Dockle outputs clear, actionable findings with severity levels (FATAL, WARN, INFO) and references to CIS benchmark sections. It integrates easily into CI/CD pipelines, supports JSON output for automation, and can be configured with an ignore file for accepted risks. Dockle fills the gap between Dockerfile linting (like Hadolint) and runtime scanning (like Falco).
Installation
brew (macOS)
$ brew install goodwithtech/r/dockleGo
$ go install github.com/goodwithtech/dockle@latestDocker
$ docker run --rm goodwithtech/dockle:latest <image>Use Cases
- Scanning Docker images for security best practice violations in CI/CD pipelines
- Detecting credentials and secrets left in container image layers
- Checking images against CIS Docker Benchmark requirements
- Finding containers running as root or with unnecessary capabilities
- Validating image security before deployment to production registries
Tags
Details
- Category
- ๐ฆ Container Security
- Language
- Go
- Repository
- goodwithtech/dockle
- License
- Apache-2.0
- Platforms
- ๐งlinux๐macos๐ชwindows
Links
Alternatives & Comparisons
Trivy
GoComprehensive vulnerability scanner for containers, filesystems, git repos, and Kubernetes with SBOM generation.
Compare Dockle vs TrivyGrype
GoVulnerability scanner for container images and filesystems that matches installed packages against known CVEs.
Compare Dockle vs GrypeFalco
C++Cloud-native runtime security. Detects threats in containers, Kubernetes, and Linux hosts using system call monitoring and custom rules.
Compare Dockle vs Falcokube-hunter
PythonKubernetes penetration testing tool. Hunts for security weaknesses in Kubernetes clusters from inside or outside the network.
Compare Dockle vs kube-hunterCDK
GoContainer escape and exploitation toolkit. Zero-dependency binary for container pentesting with escape exploits and post-exploitation tools.
Compare Dockle vs CDKMore in Container Security
Falco
C++Cloud-native runtime security. Detects threats in containers, Kubernetes, and Linux hosts using system call monitoring and custom rules.
kube-hunter
PythonKubernetes penetration testing tool. Hunts for security weaknesses in Kubernetes clusters from inside or outside the network.
CDK
GoContainer escape and exploitation toolkit. Zero-dependency binary for container pentesting with escape exploits and post-exploitation tools.
Deepce
ShellDocker enumeration and privilege escalation. Discover Docker containers, check for misconfigurations, and find escape paths.
Syft
GoSoftware Bill of Materials generator. Creates SBOMs from container images and filesystems in SPDX and CycloneDX formats.