dockle
Dockle is a container image linter that scans Docker images for security vulnerabilities and best-practice violations, including CIS Benchmarks. It runs as a simple CLI tool with minimal dependencies and integrates into CI/CD pipelines for automated security audits.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | goodwithtech/dockle |
| Owner | goodwithtech |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 3.3k |
| Forks | 162 |
| Open issues | 43 |
| Latest release | v0.4.15 (2025-01-06) |
| Last updated | 2026-07-02 |
| Source | https://github.com/goodwithtech/dockle |
What dockle is
Written in Go, Dockle analyzes built container images (not Dockerfiles) to detect security issues, misconfigurations, and best-practice deviations. It supports multiple output formats (JSON, SARIF), customizable checkpoint rules, and private registry authentication for DockerHub, ECR, GCR, and self-hosted registries.
Get the dockle source
Clone the repository and explore it locally.
git clone https://github.com/goodwithtech/dockle.gitcd dockle# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Docker daemon access (via socket) to scan images; plan authentication and access control for registry credentials in CI environments.
- Supports customizable checkpoint rules and exception lists for environment variables, files, and extensions to avoid false positives in your workflow.
- CIS Benchmarks are embedded; validate that checkpoint coverage aligns with your organization's security policies and compliance requirements.
- Output formats (JSON, SARIF) integrate with downstream tools; configure exit codes to enforce policy (exit 0, non-zero) to control pipeline flow.
- Multiple installation methods (Homebrew, package managers, binary, Docker, asdf, mise) ease deployment across diverse developer and CI environments.
When to avoid it — and what to weigh
- Need Dockerfile Linting — Dockle scans built images, not Dockerfiles. Use Hadolint if you need static Dockerfile analysis before the build stage.
- Require Runtime Container Scanning — Dockle audits image metadata and content; it does not monitor running containers. Use Docker Bench for Security or runtime monitors for live container security.
- Need CVE Vulnerability Database Scanning — Dockle focuses on configuration and best-practice checks. For dependency vulnerability scanning, layer Clair, Trivy, or Grype alongside Dockle.
- Low Tolerance for Tool Maintenance Risk — Latest release v0.4.15 is from January 2025 but repository last push was July 2026 (data inconsistency). Verify current maintenance status before adoption.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive open-source license. README incorrectly displays AGPL v3 badge; defer to GitHub repository metadata (Apache-2.0) as authoritative.
Apache 2.0 permits commercial use without network restrictions (unlike AGPL). Suitable for proprietary/commercial toolchains. No vendor lock-in or paid support entanglement evident from provided data.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Needs review |
| Deployment complexity | Low |
| DEV.co fit | Strong |
| Assessment confidence | Medium |
Dockle audits image configuration and best practices but does not perform CVE scanning; layer with Clair, Trivy, or Grype for vulnerability database checks. Checkpoints include CIS Benchmarks, which are industry-recognized baselines. Docker socket access required for scanning introduces local privilege surface; restrict to build agents with least-privilege credentials. Private registry auth credentials must be stored securely in CI (secrets management). No claims about Dockle's own supply chain security posture are evident; review code and dependencies independently.
Alternatives to consider
Hadolint
Static Dockerfile linter; scans build-time instructions before image creation, catching issues earlier. Complementary to Dockle if you need both Dockerfile and image-level checks.
Trivy (Aqua Security)
Combines image vulnerability scanning (CVE database), misconfigurations, and secrets detection. More comprehensive but heavier; use if CVE scanning is mandatory.
Docker Bench for Security
Host and runtime container auditing (not image-focused). Choose if you need Docker daemon, host kernel, and running container security assessment.
Build on dockle with DEV.co software developers
Integrate Dockle into your CI/CD pipeline to automate Docker image security audits and enforce best practices across your container deployments.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
dockle FAQ
Does Dockle scan for CVE vulnerabilities?
Can I use Dockle in private registries?
What output formats does Dockle support?
Is the Apache 2.0 license permissive for commercial use?
Software development & web development with DEV.co
Adopting dockle is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Secure Your Container Images Today
Integrate Dockle into your CI/CD pipeline to automate Docker image security audits and enforce best practices across your container deployments.