-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
869130c
commit 75680a1
Showing
6 changed files
with
196 additions
and
0 deletions.
There are no files selected for viewing
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: bootstrap | ||
|
||
on: | ||
push: | ||
branches: [ main ] | ||
paths: | ||
- 'hadolint/**' | ||
pull_request: | ||
branches: [ main ] | ||
paths: | ||
- 'hadolint/**' | ||
workflow_dispatch: | ||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
defaults: | ||
run: | ||
working-directory: hadolint | ||
steps: | ||
- uses: actions/checkout@v4 | ||
|
||
- name: Install QEMU static binaries | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Login to DockerHub | ||
uses: docker/login-action@v3 | ||
with: | ||
username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} | ||
password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} | ||
|
||
- name: Build and push | ||
uses: docker/bake-action@v4 | ||
with: | ||
push: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# syntax=docker/dockerfile:1 | ||
ARG CONTAINER_REGISTRY=docker.io | ||
FROM $CONTAINER_REGISTRY/ubuntu:jammy-20231004 as base | ||
|
||
SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
RUN <<EOF | ||
apt-get update | ||
apt-get install --no-install-recommends -y \ | ||
ca-certificates \ | ||
curl \ | ||
xz-utils | ||
rm -rf /var/lib/apt/lists/* | ||
dpkgArch="$(dpkg --print-architecture)" | ||
case "${dpkgArch##*-}" in \ | ||
amd64) \ | ||
HADOLINT_URL=https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \ | ||
HADOLINT_SHA256='56de6d5e5ec427e17b74fa48d51271c7fc0d61244bf5c90e828aab8362d55010' \ | ||
;; \ | ||
arm64) \ | ||
HADOLINT_URL=https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-arm64 \ | ||
HADOLINT_SHA256='5798551bf19f33951881f15eb238f90aef023f11e7ec7e9f4c37961cb87c5df6' \ | ||
;; \ | ||
*) echo "unsupported architecture"; exit 1 ;; \ | ||
esac | ||
curl -fsSL -o /usr/local/bin/hadolint -L ${HADOLINT_URL} | ||
chmod +x /usr/local/bin/hadolint | ||
echo "${HADOLINT_SHA256} /usr/local/bin/hadolint" | sha256sum -c - | ||
EOF | ||
|
||
FROM base as lint | ||
COPY --from=base --chmod=777 /usr/local/bin/hadolint /usr/local/bin/hadolint | ||
COPY Containerfile / | ||
|
||
RUN /usr/local/bin/hadolint --ignore DL3008 --ignore DL3033 --ignore DL3059 Containerfile | ||
|
||
FROM base as release | ||
COPY --from=base --chmod=777 /usr/local/bin/hadolint /bin/hadolint | ||
CMD ["/bin/hadolint", "-"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
# hadolint | ||
|
||
Hadolint is a linter for Containerfiles/Dockerfiles. It helps you build [best practice](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) container images. | ||
|
||
We use this during the `lint` phase of our CI pipelines for container images. | ||
|
||
This image packages releases from https://github.com/hadolint/hadolint | ||
|
||
Image source: https://github.com/boxcutter/oci/tree/main/bootstrap/hadolint | ||
|
||
# Using hadolint | ||
|
||
To lint a `Containerfile` just pipe it to `docker run`: | ||
|
||
```bash | ||
docker container run --rm -i docker.io/boxcutter/hadolint < Containerfile | ||
``` | ||
|
||
# CLI | ||
|
||
```bash | ||
docker container run --rm -i docker.io/boxcutter/hadolint hadolint --help | ||
hadolint - Dockerfile Linter written in Haskell | ||
|
||
Usage: hadolint [-v|--version] [-c|--config FILENAME] [DOCKERFILE...] | ||
[--file-path-in-report FILEPATHINREPORT] [--no-fail] | ||
[--no-color] [-V|--verbose] [-f|--format ARG] [--error RULECODE] | ||
[--warning RULECODE] [--info RULECODE] [--style RULECODE] | ||
[--ignore RULECODE] | ||
[--trusted-registry REGISTRY (e.g. docker.io)] | ||
[--require-label LABELSCHEMA (e.g. maintainer:text)] | ||
[--strict-labels] [--disable-ignore-pragma] | ||
[-t|--failure-threshold THRESHOLD] | ||
|
||
Lint Dockerfile for errors and best practices | ||
|
||
Available options: | ||
-h,--help Show this help text | ||
-v,--version Show version | ||
-c,--config FILENAME Path to the configuration file | ||
--file-path-in-report FILEPATHINREPORT | ||
The file path referenced in the generated report. | ||
This only applies for the 'checkstyle' format and is | ||
useful when running Hadolint with Docker to set the | ||
correct file path. | ||
--no-fail Don't exit with a failure status code when any rule | ||
is violated | ||
--no-color Don't colorize output | ||
-V,--verbose Enables verbose logging of hadolint's output to | ||
stderr | ||
-f,--format ARG The output format for the results [tty | json | | ||
checkstyle | codeclimate | gitlab_codeclimate | gnu | | ||
codacy | sonarqube | sarif] (default: tty) | ||
--error RULECODE Make the rule `RULECODE` have the level `error` | ||
--warning RULECODE Make the rule `RULECODE` have the level `warning` | ||
--info RULECODE Make the rule `RULECODE` have the level `info` | ||
--style RULECODE Make the rule `RULECODE` have the level `style` | ||
--ignore RULECODE A rule to ignore. If present, the ignore list in the | ||
config file is ignored | ||
--trusted-registry REGISTRY (e.g. docker.io) | ||
A docker registry to allow to appear in FROM | ||
instructions | ||
--require-label LABELSCHEMA (e.g. maintainer:text) | ||
The option --require-label=label:format makes | ||
Hadolint check that the label `label` conforms to | ||
format requirement `format` | ||
--strict-labels Do not permit labels other than specified in | ||
`label-schema` | ||
--disable-ignore-pragma Disable inline ignore pragmas `# hadolint | ||
ignore=DLxxxx` | ||
-t,--failure-threshold THRESHOLD | ||
Exit with failure code only when rules with a | ||
severity equal to or above THRESHOLD are violated. | ||
Accepted values: [error | warning | info | style | | ||
ignore | none] (default: info) | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
variable "IMAGE_NAME" { | ||
default = "hadolint" | ||
} | ||
|
||
variable "VERSION" { | ||
default = "2.12.0" | ||
} | ||
|
||
variable "CONTAINER_REGISTRY" { | ||
default = "docker.io/boxcutter" | ||
} | ||
|
||
# There's no darwin-based Docker, so if we're running on macOS, change the platform to linux | ||
variable "LOCAL_PLATFORM" { | ||
default = regex_replace("${BAKE_LOCAL_PLATFORM}", "^(darwin)", "linux") | ||
} | ||
|
||
target "_common" { | ||
dockerfile = "Containerfile" | ||
tags = [ | ||
# docker.io/boxcuter/hadolint:x.x.x | ||
"${CONTAINER_REGISTRY}/${IMAGE_NAME}:${VERSION}", | ||
"${CONTAINER_REGISTRY}/${IMAGE_NAME}:latest" | ||
] | ||
} | ||
|
||
target "lint" { | ||
dockerfile = "Containerfile" | ||
target = "lint" | ||
output = ["type=cacheonly"] | ||
} | ||
|
||
target "local" { | ||
inherits = ["_common"] | ||
platforms = ["${LOCAL_PLATFORM}"] | ||
} | ||
|
||
group "default" { | ||
targets = ["lint", "release"] | ||
} | ||
|
||
target "release" { | ||
inherits = ["_common"] | ||
platforms = ["linux/amd64", "linux/arm64/v8"] | ||
} |