Dockerfile Security Scanner - Complete Go Rewrite
Analyze Dockerfiles for security vulnerabilities and exposed credentials using regex-based rules.
Features
-
35 Built-in Security Rules across 5 categories:
- Core best practices (10 rules)
- Credential detection (11 rules) - detects AWS keys, GitHub tokens, API keys, private keys
- Security issues (7 rules) - Docker socket mounts, dangerous permissions, sudo usage
- Package management (4 rules) - apt-get cleanup, pip cache, npm cache
- Configuration issues (3 rules) - privileged containers, dangerous ports
-
Multi-platform Support: Linux, macOS, Windows (amd64, arm64)
-
Flexible Output: ASCII table or JSON
-
Custom Rules: Load your own YAML rules
-
Ignore Rules: Suppress specific findings
-
CI/CD Ready: Exit code 1 on issues for automated workflows
Usage
```yaml
- uses: cr0hn/dockerfile-security@v0.2.0
with:
dockerfile: 'Dockerfile'
fail-on-issues: true
```
What's New in v0.2.0
- Complete rewrite from Python to Go for better performance
- Expanded from 16 to 35 security rules
- Added GitHub Action support for seamless CI/CD integration
- Improved credential detection (GitHub PAT, RSA keys, OpenAI, Stripe)
- Enhanced regex patterns for better accuracy
See README for full documentation.