DEV.co
Open-Source Security · goodwithtech

dockle

Dockle is a container image linter that scans Docker images for security vulnerabilities and best-practice violations, including CIS Benchmarks. It runs as a simple CLI tool with minimal dependencies and integrates into CI/CD pipelines for automated security audits.

Source: GitHub — github.com/goodwithtech/dockle
3.3k
GitHub stars
162
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorygoodwithtech/dockle
Ownergoodwithtech
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars3.3k
Forks162
Open issues43
Latest releasev0.4.15 (2025-01-06)
Last updated2026-07-02
Sourcehttps://github.com/goodwithtech/dockle

What dockle is

Written in Go, Dockle analyzes built container images (not Dockerfiles) to detect security issues, misconfigurations, and best-practice deviations. It supports multiple output formats (JSON, SARIF), customizable checkpoint rules, and private registry authentication for DockerHub, ECR, GCR, and self-hosted registries.

Quickstart

Get the dockle source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/goodwithtech/dockle.gitcd dockle# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

CI/CD Security Gating

Automate container image security scanning in pipelines (GitHub Actions, CircleCI, GitLab CI, Travis CI) with configurable exit codes to block deployment of non-compliant images.

Kubernetes Cluster Security Hardening

Enforce image security policies before pushing to registries, ensuring all pods deployed on Kubernetes meet CIS Benchmarks and organizational security standards.

Development Workflow Integration

Developers scan local images immediately after building to catch security issues early, reducing costly remediation cycles and promoting security-first practices.

Implementation considerations

  • Requires Docker daemon access (via socket) to scan images; plan authentication and access control for registry credentials in CI environments.
  • Supports customizable checkpoint rules and exception lists for environment variables, files, and extensions to avoid false positives in your workflow.
  • CIS Benchmarks are embedded; validate that checkpoint coverage aligns with your organization's security policies and compliance requirements.
  • Output formats (JSON, SARIF) integrate with downstream tools; configure exit codes to enforce policy (exit 0, non-zero) to control pipeline flow.
  • Multiple installation methods (Homebrew, package managers, binary, Docker, asdf, mise) ease deployment across diverse developer and CI environments.

When to avoid it — and what to weigh

  • Need Dockerfile Linting — Dockle scans built images, not Dockerfiles. Use Hadolint if you need static Dockerfile analysis before the build stage.
  • Require Runtime Container Scanning — Dockle audits image metadata and content; it does not monitor running containers. Use Docker Bench for Security or runtime monitors for live container security.
  • Need CVE Vulnerability Database Scanning — Dockle focuses on configuration and best-practice checks. For dependency vulnerability scanning, layer Clair, Trivy, or Grype alongside Dockle.
  • Low Tolerance for Tool Maintenance Risk — Latest release v0.4.15 is from January 2025 but repository last push was July 2026 (data inconsistency). Verify current maintenance status before adoption.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive open-source license. README incorrectly displays AGPL v3 badge; defer to GitHub repository metadata (Apache-2.0) as authoritative.

Apache 2.0 permits commercial use without network restrictions (unlike AGPL). Suitable for proprietary/commercial toolchains. No vendor lock-in or paid support entanglement evident from provided data.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityNeeds review
Deployment complexityLow
DEV.co fitStrong
Assessment confidenceMedium
Security considerations

Dockle audits image configuration and best practices but does not perform CVE scanning; layer with Clair, Trivy, or Grype for vulnerability database checks. Checkpoints include CIS Benchmarks, which are industry-recognized baselines. Docker socket access required for scanning introduces local privilege surface; restrict to build agents with least-privilege credentials. Private registry auth credentials must be stored securely in CI (secrets management). No claims about Dockle's own supply chain security posture are evident; review code and dependencies independently.

Alternatives to consider

Hadolint

Static Dockerfile linter; scans build-time instructions before image creation, catching issues earlier. Complementary to Dockle if you need both Dockerfile and image-level checks.

Trivy (Aqua Security)

Combines image vulnerability scanning (CVE database), misconfigurations, and secrets detection. More comprehensive but heavier; use if CVE scanning is mandatory.

Docker Bench for Security

Host and runtime container auditing (not image-focused). Choose if you need Docker daemon, host kernel, and running container security assessment.

Software development agency

Build on dockle with DEV.co software developers

Integrate Dockle into your CI/CD pipeline to automate Docker image security audits and enforce best practices across your container deployments.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

dockle FAQ

Does Dockle scan for CVE vulnerabilities?
No. Dockle focuses on configuration best practices and CIS Benchmarks. Pair it with Clair, Trivy, or Grype for CVE scanning.
Can I use Dockle in private registries?
Yes. Supports authentication for DockerHub, AWS ECR, Google GCR, and self-hosted registries with BasicAuth.
What output formats does Dockle support?
JSON and SARIF formats available, suitable for integration with CI/CD dashboards, SIEM systems, and compliance reporting tools.
Is the Apache 2.0 license permissive for commercial use?
Yes, Apache 2.0 allows commercial use without network-based restrictions (unlike AGPL). No SaaS usage limitations apply.

Software development & web development with DEV.co

Adopting dockle is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Secure Your Container Images Today

Integrate Dockle into your CI/CD pipeline to automate Docker image security audits and enforce best practices across your container deployments.