default_rules.yaml
---
profile:
name: 'Default'
description: 'Default Profile. Checks basic syntax.'
includes:
#- recommended_label_rules.yaml
line_rules:
LABEL:
paramSyntaxRegex: /.+/
# Use defined_label_rules to defined a set of labels for your dockerfile
# In this example, the labels "Vendor","Authoritative_Registry","BZComponent"
# have been defined. A label value is 'valid' if matches the regular
# expression 'valueRegex', otherwise an warn is logged with the string "message"
# at level 'level'. 'reference_url' provides a web link where the user can
# get more information about the rule.
#
defined_namevals:
Name:
valueRegex: /[\w]+/
message: "Label 'Name' is missing or has invalid format"
level: 'warn'
required: true
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
Version:
valueRegex: /[\w.${}()"'\\\/~<>\-?\%:]+/
message: "Label 'Version' is missing or has invalid format"
level: 'warn'
required: true
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
Release:
valueRegex: /[\w.${}()"'\\\/~<>\-?\%:]+/
message: "Label 'Release' is missing or has invalid format"
level: 'warn'
required: false
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
Architecture:
valueRegex: /[\w]*[6,8][4,6]|[.]*86[.]*64/
message:
"Label 'Architecture' is missing or has invalid format: x86, i386,
x86_64"
level: 'info'
required: false
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
Vendor:
valueRegex: /([\w]+).+/
message: "Label 'Vendor' is missing or has invalid format"
level: 'warn'
required: false
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
Url:
valueRegex: /([\w]+).+/
message: "Label 'Url' is missing or has invalid format"
level: 'warn'
required: false
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
Help:
valueRegex: /([\w]+).+/
message: "Label 'Help' is missing or has invalid format"
level: 'warn'
required: false
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_recommended_labels_for_your_project'
FROM:
paramSyntaxRegex: /^[${}\w./\-:]+(:[${}\w.]+)?(-[${}\w.]+)?( as [-_\w]+)?$/i
rules:
- label: 'is_latest_tag'
regex: /latest/
level: 'error'
message: "base image uses 'latest' tag"
description:
"using the 'latest' tag may cause unpredictable builds. It is
recommended that a specific tag is used in the FROM line or *-released
which is the latest supported release."
reference_url:
- 'https://docs.docker.com/engine/reference/builder/'
- '#from'
- label: 'no_tag'
regex: /^[:]/
level: 'error'
message: 'No tag is used'
description: 'lorem ipsum tar'
reference_url:
- 'https://docs.docker.com/engine/reference/builder/'
- '#from'
- label: 'from_not_redhat'
regex: /rhel|redhat*/
inverse_rule: true
level: 'info'
message: 'Base Image is not from Red Hat'
description: 'Base Image must be from Red Hat'
reference_url:
- 'https://cdn-ubi.redhat.com/content/public/ubi/dist/'
- '#from'
MAINTAINER:
paramSyntaxRegex: /.+/
rules: []
RUN:
paramSyntaxRegex: /.+/
rules:
- label: 'no_yum_clean_all'
regex: /yum(?!.+clean all|.+\.repo|-config|\.conf)/
level: 'warn'
message: 'yum clean all is not used'
description:
'the yum cache will remain in this layer making the layer
unnecessarily large'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_clear_packaging_caches_and_temporary_package_downloads'
- label: 'yum_update_all'
regex: /yum(.+update all|.+upgrade|.+update)/
level: 'info'
message:
'updating the entire base image may add unnecessary size to the
container'
description:
'update the entire base image may add unnecessary size to the
container'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_clear_packaging_caches_and_temporary_package_downloads'
- label: 'no_dnf_clean_all'
regex: /dnf(?!.+clean all|.+\.repo)/g
level: 'warn'
message: 'dnf clean all is not used'
description:
'the dnf cache will remain in this layer making the layer
unnecessarily large'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_clear_packaging_caches_and_temporary_package_downloads'
- label: 'no_rvm_cleanup_all'
regex: /rvm install(?!.+cleanup all)/g
level: 'warn'
message: 'rvm cleanup is not used'
description:
'the rvm cache will remain in this layer making the layer
unnecessarily large'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_clear_packaging_caches_and_temporary_package_downloads'
- label: 'no_gem_clean_all'
regex: /gem install(?!.+cleanup|.+\rvm cleanup all)/g
level: 'warn'
message: 'gem cleanup all is not used'
description:
'the gem cache will remain in this layer making the layer
unnecessarily large'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_clear_packaging_caches_and_temporary_package_downloads'
- label: 'no_apt-get_clean'
regex: /apt-get install(?!.+clean)/g
level: 'info'
message: 'apt-get clean is not used'
description:
'the apt-get cache will remain in this layer making the layer
unnecessarily large'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '_clear_packaging_caches_and_temporary_package_downloads'
- label: 'privileged_run_container'
regex: /privileged/
level: 'warn'
message: 'a privileged run container is allowed access to host devices'
description: 'Does this run need to be privileged?'
reference_url:
- 'http://docs.docker.com/engine/reference/run/#'
- 'runtime-privilege-and-linux-capabilities'
- label: 'installing_ssh'
regex: /openssh-server/
level: 'warn'
message: 'installing SSH in a container is not recommended'
description: 'Do you really need SSH in this image?'
reference_url: 'https://github.com/jpetazzo/nsenter'
- label: 'no_ampersand_usage'
regex: / ; /
level: 'info'
message: 'using ; instead of &&'
description:
'RUN do_1 && do_2: The ampersands change the resulting evaluation into
do_1 and then do_2 only if do_1 was successful.'
reference_url:
- 'http://docs.projectatomic.io/container-best-practices/#'
- '#_using_semi_colons_vs_double_ampersands'
EXPOSE:
paramSyntaxRegex: /^[\d-\s\w/\\]+$/
rules: []
ENV:
paramSyntaxRegex: /^[\w-$/\\=\"[\]{}@:,'`\t. ]+$/
rules: []
ADD:
paramSyntaxRegex: /^~?([\w-.~:/?#\[\]\\\/*@!$&'()*+,;=.{}"]+[\s]*)+$/
COPY:
paramSyntaxRegex: /.+/
rules: []
ENTRYPOINT:
paramSyntaxRegex: /.+/
rules: []
VOLUME:
paramSyntaxRegex: /.+/
rules: []
USER:
paramSyntaxRegex: /^[a-zA-Z0-9_$][a-zA-Z0-9_-]{0,40}$/
rules: []
WORKDIR:
paramSyntaxRegex: /^~?[\w\d-\/.{}$\/:]+[\s]*$/
rules: []
ONBUILD:
paramSyntaxRegex: /.+/
rules: []
required_instructions:
- instruction: 'EXPOSE'
count: 1
level: 'info'
message: "There is no 'EXPOSE' instruction"
description:
'Without exposed ports how will the service of the container be accessed?'
reference_url:
- 'https://docs.docker.com/engine/reference/builder/'
- '#expose'