images/container-generic-compliance-action
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
3 commits 1 branch 0 tags 36 KiB
Find a file
Exact
Clément BREISCH d989952491 add artifact-name input for matrix builds
2025-12-22 00:39:18 +00:00
action.yml add artifact-name input for matrix builds 2025-12-22 00:39:18 +00:00
LICENSE initial compliance action with dockle and hadolint 2025-12-21 20:49:28 +00:00
README.md initial compliance action with dockle and hadolint 2025-12-21 20:49:28 +00:00

README.md

Container Compliance Action

CIS Docker Benchmark and Dockerfile best practices compliance scanning.

Features

  • Dockle: CIS Docker Benchmark compliance for container images
  • Hadolint: Dockerfile linting and best practices
  • Configurable rules: Ignore specific rules as needed
  • Job summary: Visual compliance report in workflow runs

Usage

- uses: git.breis.ch/images/container-generic-compliance-action@v1
  with:
    image: my-registry/my-image:latest
    dockerfile: ./Dockerfile

With all options

- uses: git.breis.ch/images/container-generic-compliance-action@v1
  id: compliance
  with:
    image: my-registry/my-image:latest
    dockerfile: ./Dockerfile
    scanners: dockle,hadolint
    fail-on-fatal: true
    fail-on-error: true
    ignore-rules: DKL-DI-0006,DL3008
    upload-artifacts: true

- name: Check results
  run: |
    echo "Dockle FATAL: ${{ steps.compliance.outputs.dockle-fatal }}"
    echo "Hadolint errors: ${{ steps.compliance.outputs.hadolint-errors }}"
    echo "Passed: ${{ steps.compliance.outputs.passed }}"

Inputs

Input Required Default Description
image Yes - Container image to scan
dockerfile No - Path to Dockerfile for Hadolint
scanners No dockle,hadolint Comma-separated list of scanners
fail-on-fatal No true Fail if Dockle finds FATAL issues
fail-on-error No true Fail if Hadolint finds errors
ignore-rules No - Comma-separated rules to ignore
upload-artifacts No true Upload scan results as artifacts

Outputs

Output Description
dockle-fatal Number of Dockle FATAL issues
dockle-warn Number of Dockle WARN issues
dockle-info Number of Dockle INFO issues
dockle-pass Number of Dockle PASS checks
hadolint-errors Number of Hadolint errors
hadolint-warnings Number of Hadolint warnings
passed true if all checks passed

Scanners

Dockle

CIS Docker Benchmark compliance checker. Validates container images against security best practices:

  • User permissions
  • Secret exposure
  • Health checks
  • Content trust
  • And more...

Common rules to ignore for distroless images:

  • DKL-DI-0006: Avoid latest tag (sometimes intentional)

Hadolint

Dockerfile linter that validates best practices:

  • Base image versions
  • Package installation
  • Shell usage
  • Layer optimization

Common rules to ignore:

  • DL3008: Pin versions in apt-get install
  • DL3018: Pin versions in apk add

Rule Format

Rules can be specified in the ignore-rules input:

  • Dockle rules: DKL-* (e.g., DKL-DI-0006)
  • Hadolint rules: DL* or SC* (e.g., DL3008, SC2086)

Example Workflow

name: Compliance Scan

on:
  push:
    branches: [main]
  pull_request:

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Compliance scan
        uses: git.breis.ch/images/container-generic-compliance-action@v1
        with:
          image: myapp:${{ github.sha }}
          dockerfile: ./Dockerfile
          ignore-rules: DL3008

License

MIT