Summary
Add an examples/ directory with sample Dockerfiles for learning and local testing, plus a root .dockerignore so docker build stays fast and does not send .venv into the build context.
The CHANGELOG (v0.x) already documents a "Complete Examples Directory", but that folder is not present on main today. This issue tracks adding it back.
Problem Statement
- New users lack runnable sample Dockerfiles to compare secure vs vulnerable patterns.
- Local
docker build for the project Dockerfile is very slow without .dockerignore because .venv (~300MB) is included in the build context.
- README and getting-started docs reference examples in templates/issues but there is no
examples/ path in the tree.
Proposed Solution
1. examples/ directory
| Example |
Purpose |
python-flask-secure/ |
Hardened Python: pinned base, non-root user, health check |
nodejs-vulnerable/ |
Intentional misconfigurations for education (not for production) |
golang-multistage/ |
Multi-stage build with distroless runtime |
Each subfolder should include:
Dockerfile- Minimal app source
README.md with docksec scan commands
Top-level examples/README.md with a short learning path.
2. Root .dockerignore
Exclude at minimum:
.venv, .git, __pycache__, .env, tests, docs, build artifacts
3. Documentation
- Link
examples/ from root README.md Quick Start
- Add an Examples section to
tab_gettingstarted.md
Example usage:
# Scan only (no API key)
docksec examples/nodejs-vulnerable/Dockerfile --scan-only
# Build and scan Go example
docker build -t docksec-example-go:local examples/golang-multistage
docksec examples/golang-multistage/Dockerfile -i docksec-example-go:local --scan-only
Alternatives Considered
- Document examples only in README without files in-repo (harder to run and test).
- Single example instead of three (less useful for comparing secure vs vulnerable outcomes).
Use Case
Acceptance Criteria
Implementation Notes (local validation)
Validated locally on macOS (Docker, Hadolint, Trivy, Docker Scout):
| Example |
Scan mode |
Approx. score |
nodejs-vulnerable |
Dockerfile only |
76.5 |
python-flask-secure |
Dockerfile + image |
49.5 (image CVEs) |
golang-multistage |
Dockerfile + image |
48.0 (Go stdlib CVEs in binary) |
Implementation is ready on branch ayush1 for a follow-up PR if maintainers agree.
Related Issues
- Referenced in
.github/ISSUE_TEMPLATE/question.md (examples directory link)
- Documented in
docs/CHANGELOG.md but missing from repository tree
Summary
Add an
examples/directory with sample Dockerfiles for learning and local testing, plus a root.dockerignoresodocker buildstays fast and does not send.venvinto the build context.The CHANGELOG (v0.x) already documents a "Complete Examples Directory", but that folder is not present on
maintoday. This issue tracks adding it back.Problem Statement
docker buildfor the project Dockerfile is very slow without.dockerignorebecause.venv(~300MB) is included in the build context.examples/path in the tree.Proposed Solution
1.
examples/directorypython-flask-secure/nodejs-vulnerable/golang-multistage/Each subfolder should include:
DockerfileREADME.mdwithdocksecscan commandsTop-level
examples/README.mdwith a short learning path.2. Root
.dockerignoreExclude at minimum:
.venv,.git,__pycache__,.env,tests,docs, build artifacts3. Documentation
examples/from rootREADME.mdQuick Starttab_gettingstarted.mdExample usage:
Alternatives Considered
Use Case
Acceptance Criteria
examples/contains three documented sample projects with scan instructions.dockerignoreprevents.venvfrom bloating Docker build contextexamples/README.mdImplementation Notes (local validation)
Validated locally on macOS (Docker, Hadolint, Trivy, Docker Scout):
nodejs-vulnerablepython-flask-securegolang-multistageImplementation is ready on branch
ayush1for a follow-up PR if maintainers agree.Related Issues
.github/ISSUE_TEMPLATE/question.md(examples directory link)docs/CHANGELOG.mdbut missing from repository tree