Linting
Linting in Docker, using tools such as Hadolint, is essential to ensure the security and quality of container images. This practice identifies vulnerabilities, insecure configurations and errors in Dockerfile files, which is crucial to prevent exposures of known vulnerabilities and ensure secure image builds. In addition, linting promotes consistency and compliance with best practices, which facilitates replication and collaboration across development and operations teams. Ultimately, Docker linting improves the efficiency of the development and deployment process, saves time and resources, and contributes to the reliability and quality of software in container environments.
If you want to try Hadolint and start applying Docker linting immediately, you can access the online tool at the following link: Hadolint Online. This platform will allow you to analyze your Dockerfile files interactively and receive recommendations and corrections in real time, which facilitates the adoption of good security and quality practices in your container images.
Integration with Gitlab
To integrate Hadolint with CI/CD from Gitlab, we have two options: use the image available at DockerHub or the one we have in the project OSDO, which already has Curl installed to allow integration with DefectDojo.
Once we have decided which option we need, we proceed to add the following section in our gitlab-ci.yml
file:
docker_hadolit:
stage: test
image: image_need
script:
- hadolint "${CI_PROJECT_DIR}/deployment/php/Dockerfile" -f json > hadolint.json
artifacts:
paths:
- hadolint.json
when: on_failure
expire_in: 1 hour
DefectDojo
To integrate with DefectDojo, we must add the after_script
option in our GitLab CI/CD configuration file. In this step, we will call the defectdojo-finding.sh
" script, which is located in the Monitoring Integrations section. To ensure that the script is only called if "failures" have been encountered, we wrap it in an if
conditional structure that checks the status of the job with the variable $CI_JOB_STATUS
. We must also add the following configuration variables to customize the "finding": $DD_SCAN_TYPE,
$DD_PRODUCT_NAME,
$DD_SCAN_FILE
, $DD_SCAN_ACTIVE
, $DD_SCAN_VERIFIED
.
docker_hadolit:
stage: test
dependencies: ["defectdojo_create_engagement"]
variables:
DD_SCAN_TYPE: "Hadolint Dockerfile check"
DD_PRODUCT_NAME: "Hadolint"
DD_SCAN_FILE: "hadolint.json"
DD_SCAN_ACTIVE: "true"
DD_SCAN_VERIFIED: "false"
image: image_need
script:
- hadolint "${CI_PROJECT_DIR}/deployment/php/Dockerfile" -f json > hadolint.json
after_script:
- |
if [ $CI_JOB_STATUS == 'failed' ]; then
bash .gitlab-ci/defectdojo-finding.sh
fi
artifacts:
paths:
- hadolint.json
when: on_failure
expire_in: 1 hour