From 1ee434bbfce608cd222ad0fc0341743178a175ae Mon Sep 17 00:00:00 2001 From: Jim Van Fleet Date: Wed, 13 Jul 2016 10:28:57 -0400 Subject: [PATCH] Adding lint example to build process --- Jenkinsfile | 4 + config/default_rules.yaml | 259 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 263 insertions(+) create mode 100644 config/default_rules.yaml diff --git a/Jenkinsfile b/Jenkinsfile index d8ecc99..b7b7604 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -7,6 +7,10 @@ node { sh './build_image.sh' + stage 'Lint' + + sh 'docker run -it --rm --privileged -v `pwd`:/root/ projectatomic/dockerfile-lint dockerfile_lint' + stage 'Tests' sh '/usr/local/bin/bats tests/base.bats' diff --git a/config/default_rules.yaml b/config/default_rules.yaml new file mode 100644 index 0000000..e6c7254 --- /dev/null +++ b/config/default_rules.yaml @@ -0,0 +1,259 @@ +--- + profile: + name: "Default" + description: "Default Profile. Checks basic syntax." + includes: + #- recommended_label_rules.yaml + line_rules: + LABEL: + paramSyntaxRegex: /.+/ + # Use defined_label_rules to defined a set of labels for your dockerfile + # In this example, the labels "Vendor","Authoritative_Registry","BZComponent" + # have been defined. A label value is 'valid' if matches the regular + # expression 'valueRegex', otherwise an warn is logged with the string "message" + # at level 'level'. 'reference_url' provides a web link where the user can + # get more information about the rule. + # + defined_namevals: + Name: + valueRegex: /([\w]+)./ + message: "Label 'Name' is missing or has invalid format" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + Version: + valueRegex: /([\w]+.*)./ + message: "Label 'Version' is missing or has invalid format" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + Release: + valueRegex: /([\w]+.*)./ + message: "Label 'Release' is missing or has invalid format" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + Architecture: + valueRegex: /[\w]*[6,8][4,6]|[.]*86[.]*64/ + message: "Label 'Architecture' is missing or has invalid format: x86, i386, x86_64" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + Vendor: + valueRegex: /([\w]+).+/ + message: "Label 'Vendor' is missing or has invalid format" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + Url: + valueRegex: /([\w]+).+/ + message: "Label 'Url' is missing or has invalid format" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + Help: + valueRegex: /([\w]+).+/ + message: "Label 'Help' is missing or has invalid format" + level: "warn" + required: true + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_recommended_labels_for_your_project" + + FROM: + paramSyntaxRegex: /^[a-z0-9./-]+(:[a-z0-9.]+)?$/ + rules: + - + label: "is_latest_tag" + regex: /latest/ + level: "error" + message: "base image uses 'latest' tag" + description: "using the 'latest' tag may cause unpredictable builds. It is recommended that a specific tag is used in the FROM line or *-released which is the latest supported release." + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#from" + label: "no_tag" + regex: /^[:]/ + level: "error" + message: "No tag is used" + description: "lorem ipsum tar" + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#from" + label: "specified_registry" + regex: /[a-zA-Z0-9]+?\.[a-zA-Z0-9-]+(\:|\.)([a-zA-Z0-9.]+|(\d+)?)([/?:].*)?/ + level: "warn" + message: "using a specified registry in the FROM line" + description: "using a specified registry may supply invalid or unexpected base images" + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#entrypoint" + MAINTAINER: + paramSyntaxRegex: /.+/ + rules: [] + RUN: + paramSyntaxRegex: /.+/ + rules: + - + label: "no_yum_clean_all" + regex: /yum(?!.+clean all|.+\.repo)/g + level: "warn" + message: "yum clean all is not used" + description: "the yum cache will remain in this layer making the layer unnecessarily large" + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_clear_packaging_caches_and_temporary_package_downloads" + - + label: "yum_update_all" + regex: /yum(.+update all|.+upgrade|.+update)/ + level: "warn" + message: "updating the entire base image may add unnecessary size to the container" + description: "update the entire base image may add unnecessary size to the container" + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_clear_packaging_caches_and_temporary_package_downloads" + - + label: "no_dnf_clean_all" + regex: /dnf(?!.+clean all|.+\.repo)/g + level: "warn" + message: "dnf clean all is not used" + description: "the dnf cache will remain in this layer making the layer unnecessarily large" + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_clear_packaging_caches_and_temporary_package_downloads" + - + label: "no_rvm_cleanup_all" + regex: /rvm install(?!.+cleanup all)/g + level: "warn" + message: "rvm cleanup is not used" + description: "the rvm cache will remain in this layer making the layer unnecessarily large" + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_clear_packaging_caches_and_temporary_package_downloads" + - + label: "no_gem_clean_all" + regex: /gem install(?!.+cleanup|.+\rvm cleanup all)/g + level: "warn" + message: "gem cleanup all is not used" + description: "the gem cache will remain in this layer making the layer unnecessarily large" + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_clear_packaging_caches_and_temporary_package_downloads" + - + label: "no_apt-get_clean" + regex: /apt-get install(?!.+clean)/g + level: "warn" + message: "apt-get clean is not used" + description: "the apt-get cache will remain in this layer making the layer unnecessarily large" + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "_clear_packaging_caches_and_temporary_package_downloads" + - + label: "privileged_run_container" + regex: /privileged/ + level: "warn" + message: "a privileged run container is allowed access to host devices" + description: "Does this run need to be privileged?" + reference_url: + - "http://docs.docker.com/engine/reference/run/#" + - "runtime-privilege-and-linux-capabilities" + - + label: "installing_ssh" + regex: /ssh/ + level: "warn" + message: "installing SSH in a container is not recommended" + description: "Do you really need SSH in this image?" + reference_url: "https://github.com/jpetazzo/nsenter" + - + label: "no_ampersand_usage" + regex: / ; / + level: "warn" + message: "using ; instead of &&" + description: "RUN do_1 && do_2: The ampersands change the resulting evaluation into do_1 and then do_2 only if do_1 was successful." + reference_url: + - "http://docs.projectatomic.io/container-best-practices/#" + - "#_using_semi_colons_vs_double_ampersands" + EXPOSE: + paramSyntaxRegex: /[0-9]+([0-9\s|-]+)?/ + rules: [] + ENV: + paramSyntaxRegex: /^[a-zA-Z_]+[a-zA-Z0-9_]* .+$/ + rules: [] + ADD: + paramSyntaxRegex: /^(~?[A-z0-9\/_.-]+|https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&\/\/=]*))\s~?[A-z0-9\/_.-]+$/ + COPY: + paramSyntaxRegex: /.+/ + rules: [] + ENTRYPOINT: + paramSyntaxRegex: /.+/ + rules: [] + VOLUME: + paramSyntaxRegex: /.+/ + rules: [] + USER: + paramSyntaxRegex: /^[a-z0-9_][a-z0-9_]{0,40}$/ + rules: [] + WORKDIR: + paramSyntaxRegex: /^~?[A-z0-9\/_.-]+$/ + rules: [] + ONBUILD: + paramSyntaxRegex: /.+/ + rules: [] + required_instructions: + - + instruction: "MAINTAINER" + count: 1 + level: "error" + message: "Maintainer is not defined" + description: "The MAINTAINER line is useful for identifying the author in the form of MAINTAINER Joe Smith " + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#maintainer" + - + instruction: "EXPOSE" + count: 1 + level: "info" + message: "There is no 'EXPOSE' instruction" + description: "Without exposed ports how will the service of the container be accessed?" + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#expose" + - + instruction: "ENTRYPOINT" + count: 1 + level: "info" + message: "There is no 'ENTRYPOINT' instruction" + description: "None" + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#entrypoint" + - + instruction: "CMD" + count: 1 + level: "info" + message: "There is no 'CMD' instruction" + description: "None" + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#cmd" + - + instruction: "USER" + count: 1 + level: "warn" + message: "No 'USER' instruction" + description: "The process(es) within the container may run as root and RUN instructions my be run as root" + reference_url: + - "https://docs.docker.com/reference/builder/" + - "#user" \ No newline at end of file