Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start.

Dockle helps you:

  1. Build Best Practice Docker images
  2. Build secure Docker images
$ brew install goodwithtech/dockle/dockle
$ dockle [YOUR_IMAGE_NAME]

See Installation and Common Examples



Checkpoints Comparison




  • Detect container's vulnerabilities
  • Helping build best-practice Dockerfile
  • Simple usage
  • CIS Benchmarks Support
    • High accuracy
  • DevSecOps
    • Suitable for CI such as Travis CI, CircleCI, Jenkins, etc.
    • See CI Example


Dockle Hadolint Docker Bench for Security Clair
Target Image Dockerfile Host
Docker Daemon
Container Runtime
How to run Binary Binary ShellScript Binary
Dependency No No Some dependencies No
CI Suitable x x
Purpose Security Audit
Dockerfile Lint
Dockerfile Lint Security Audit
Dockerfile Lint
Scan Vulnerabilities


Homebrew (Mac OS X / Linux and WSL)

You can use Homebrew on Mac OS X or Linux and WSL (Windows Subsystem for Linux).

$ brew install goodwithtech/dockle/dockle


 curl --silent "" | \
 grep '"tag_name":' | \
 sed -E 's/.*"v([^"]+)".*/\1/' \
) && rpm -ivh${VERSION}/dockle_${VERSION}_Linux-64bit.rpm


 curl --silent "" | \
 grep '"tag_name":' | \
 sed -E 's/.*"v([^"]+)".*/\1/' \
) && curl -L -o dockle.deb${VERSION}/dockle_${VERSION}_Linux-64bit.deb
$ sudo dpkg -i dockle.deb && rm dockle.deb


 curl --silent "" | \
 grep '"tag_name":' | \
 sed -E 's/.*"v([^"]+)".*/\1/' \
) && curl -L -o${VERSION}/dockle_${VERSION}
$ unzip && rm
$ ./dockle.exe [IMAGE_NAME]


You can get the latest version binary from releases page.

Download the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your $PATH (on UNIX-y systems, /usr/local/bin or the like).

  • NOTE: Make sure that it's execution bits turned on. (chmod +x dockle)

From source

$ GO111MODULE=off go get
$ cd $GOPATH/src/ && GO111MODULE=on go build -o $GOPATH/bin/dockle cmd/dockle/main.go

Use Docker

There's a Dockle image on Docker Hub also. You can try dockle before installing the command.

 curl --silent "" | \
 grep '"tag_name":' | \
 sed -E 's/.*"v([^"]+)".*/\1/' \
) && docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
  goodwithtech/dockle:v${VERSION} [YOUR_IMAGE_NAME]

You only need -v /var/run/docker.sock:/var/run/docker.sock when you'd like to scan the image on your host machine.

Quick Start


Simply specify an image name (and a tag).

$ dockle [YOUR_IMAGE_NAME]
WARN    - CIS-DI-0001: Create a user for the container
        * Last user should not be root
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
WARN    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
        * not found HEALTHCHECK statement
PASS    - CIS-DI-0007: Do not use update instructions alone in the Dockerfile
PASS    - CIS-DI-0008: Remove setuid and setgid permissions in the images
PASS    - CIS-DI-0009: Use COPY instead of ADD in Dockerfile
PASS    - CIS-DI-0010: Do not store secrets in ENVIRONMENT variables
PASS    - CIS-DI-0010: Do not store secret files
PASS    - DKL-DI-0001: Avoid sudo command
PASS    - DKL-DI-0002: Avoid sensitive directory mounting
PASS    - DKL-DI-0003: Avoid apt-get/apk/dist-upgrade
PASS    - DKL-DI-0004: Use apk add with --no-cache
PASS    - DKL-DI-0005: Clear apt-get caches
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
PASS    - DKL-LI-0001: Avoid empty password
PASS    - DKL-LI-0002: Be unique UID
PASS    - DKL-LI-0002: Be unique GROUP


Also, you can use Docker to use dockle command as follow.

$ export DOCKLE_LATEST=$(
 curl --silent "" | \
 grep '"tag_name":' | \
 sed -E 's/.*"v([^"]+)".*/\1/' \
$ docker run --rm goodwithtech/dockle:v${DOCKLE_LATEST} [YOUR_IMAGE_NAME]
  • If you'd like to scan the image on your host machine, you need to mount docker.sock.

    $ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock ...