Skip to main content

Linting

Linting in Docker, using tools such as Hadolint, is essential to ensure the security and quality of container images. This practice identifies vulnerabilities, insecure configurations and errors in Dockerfile files, which is crucial to prevent exposures of known vulnerabilities and ensure secure image builds. In addition, linting promotes consistency and compliance with best practices, which facilitates replication and collaboration across development and operations teams. Ultimately, Docker linting improves the efficiency of the development and deployment process, saves time and resources, and contributes to the reliability and quality of software in container environments.

If you want to try Hadolint and start applying Docker linting immediately, you can access the online tool at the following link: Hadolint Online. This platform will allow you to analyze your Dockerfile files interactively and receive recommendations and corrections in real time, which facilitates the adoption of good security and quality practices in your container images.

Integration with Gitlab

To integrate Hadolint with CI/CD from Gitlab, we have two options: use the image available at DockerHub or the one we have in the project OSDO, which already has Curl installed to allow integration with DefectDojo.

Once we have decided which option we need, we proceed to add the following section in our gitlab-ci.yml file:

.gitlab-ci.yml
docker_hadolit:
  stage: test
  image:  image_need
  script:
    - hadolint "${CI_PROJECT_DIR}/deployment/php/Dockerfile" -f json > hadolint.json
  artifacts:
    paths:
      - hadolint.json
    when: on_failure
    expire_in: 1 hour

DefectDojo

To integrate with DefectDojo, we must add the after_script option in our GitLab CI/CD configuration file. In this step, we will call the defectdojo-finding.sh" script, which is located in the Monitoring Integrations section. To ensure that the script is only called if "failures" have been encountered, we wrap it in an if conditional structure that checks the status of the job with the variable $CI_JOB_STATUS. We must also add the following configuration variables to customize the "finding": $DD_SCAN_TYPE, $DD_PRODUCT_NAME, $DD_SCAN_FILE, $DD_SCAN_ACTIVE, $DD_SCAN_VERIFIED.

.gitlab-ci.yml
docker_hadolit:
  stage: test
  dependencies: ["defectdojo_create_engagement"]
  variables:
    DD_SCAN_TYPE: "Hadolint Dockerfile check"
    DD_PRODUCT_NAME: "Hadolint"
    DD_SCAN_FILE: "hadolint.json"
    DD_SCAN_ACTIVE: "true"
    DD_SCAN_VERIFIED: "false"
  image: image_need
  script:
    - hadolint "${CI_PROJECT_DIR}/deployment/php/Dockerfile" -f json > hadolint.json
  after_script:
    - |
      if [ $CI_JOB_STATUS == 'failed' ]; then
        bash .gitlab-ci/defectdojo-finding.sh
      fi
  artifacts:
    paths:
      - hadolint.json
    when: on_failure
    expire_in: 1 hour