Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Lab: Dockerfile static analysis

Lint a *bad Dockerfile- with hadolint, build it, then run *dockle- on the image. Install steps target *Linux amd64- (default GitHub Codespaces). On arm64, use the arm64 build from each project’s GitHub *Releases- page. For a permanent **PATH*- line in every shell, use Environment Setup. Otherwise step 2 below sets the path for the current terminal only.

Read Theory: Dockerfile first so terms such as base image, FROM, COPY, and *layers- are familiar.

Lab objective

  • Create a deliberately weak Dockerfile for training scans.
  • Run *hadolint- on the file.
  • Build an image and run *dockle- on the tag.

Create a Weak Dockerfile

Create workspace directory.

mkdir -p ~/peachycloudsecurity-sast-lab && cd ~/peachycloudsecurity-sast-lab
  • Creates a lab directory and moves into it.

Create vulnerable Dockerfile.

cat <<'EOF' > Dockerfile
FROM ubuntu:latest

RUN apt update && apt install -y curl sudo

ADD peachycloudsecurity-secret.txt /root/peachycloudsecurity-secret.txt

RUN chmod 777 /root/peachycloudsecurity-secret.txt

CMD ["bash"]
EOF

Defines an insecure Dockerfile with bad practices.

Create a fake secret file.

echo 'secret' > peachycloudsecurity-secret.txt
  • Creates a sensitive file that will be copied into the image.

Install and Run Hadolint

Prepare binary path and setup hadolint.

mkdir -p ~/.local/bin
export PATH="$HOME/.local/bin:$PATH"
curl -sSfL -o ~/.local/bin/hadolint \
"https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64"
chmod +x ~/.local/bin/hadolint

  • Sets PATH, downloads hadolint, and makes it executable.

  • Run hadolint.

hadolint Dockerfile
  • Scans Dockerfile for insecure patterns.

Build Image and Run Dockle

  • Download and setup dockle.
DVER=0.4.15
curl -sSfL \
"https://github.com/goodwithtech/dockle/releases/download/v${DVER}/dockle_${DVER}_Linux-64bit.tar.gz" \
| tar -xz -C ~/.local/bin dockle
chmod +x ~/.local/bin/dockle

  • Downloads dockle, extracts it, and makes it executable.

  • Build Docker image.

docker build -t peachycloudsecurity-dockle-target .

  • Builds image including the secret file.

  • Run dockle scan.

dockle peachycloudsecurity-dockle-target
  • Analyzes image security posture.

Verify Secret Exposure

  • Run container and read secret.
docker run --rm peachycloudsecurity-dockle-target cat /root/peachycloudsecurity-secret.txt

  • Confirms the secret is embedded in the image.

  • Check image history.

docker history peachycloudsecurity-dockle-target
  • Shows layers where the secret was added.

Cleanup

  • Remove image.
docker rmi peachycloudsecurity-dockle-target 2>/dev/null || true

  • Deletes built image.

  • Remove lab directory.

cd ~/peachycloudsecurity-lab-workspace/ && rm -rf ~/peachycloudsecurity-sast-lab
  • Deletes local files.

Summary

  • hadolint flags Dockerfile issues like latest tag, ADD, and permissions.
  • dockle highlights runtime and image-level risks.
  • secrets copied via ADD or COPY remain permanently in image layers.