⚠️ Status: This action is in Development. Please report any issues or suggestions.
- 🔍 Comprehensive Dockerfile Analysis - Scans all Dockerfiles in your repository
- 🛡️ Security Best Practices - Identifies potential security vulnerabilities
- 📝 Detailed Reports - Provides actionable feedback with explanations
- 💬 GitHub Integration - Comments directly on PRs and Issues with suggestions
name: Dockerfile Scanner
on: [push, pull_request]
jobs:
scan:
permissions:
contents: read
issues: write
pull-requests: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: joao-pedro-rdo/SentinelCI@v0.1.0
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
API_TOKEN: ${{ secrets.API_TOKEN }}| Input | Description | Required | Default |
|---|---|---|---|
github-token |
GitHub token for API access | ✅ | - |
API_TOKEN |
API token for external service access | ✅ | - |
| Output | Description |
|---|---|
issues-found |
Number of issues found and link |
-
✅ Use .dockerignore
-
✅ Set WORKDIR to simplify the copy of nested files
-
✅ Avoid pip upgrade
-
✅ Declare ports usage
-
✅Join non-consecutive RUN instructions
-
🔜 Copy dependencies before sources
-
🔜 Copy only the necessary files from the build context
-
🔜 Extract stage in a separate Dockerfile
-
🔜 Use VOLUME for Configuration Files
-
🔜 Use VOLUME for Dependencies Cache
-
🔜 Use VOLUME for App Data
-
🔜 Avoid silencing exit signals
-
🔜 Prefer a binary executable for ENTRYPOINT
-
🔜 Avoid hard-coded app-related configuration
-
🔜 Prefer popular base images (official/community)
-
🔜 Avoid hard-coded package versions
-
🔜 Prefer up-to-date packages and sources
-
🔜 Avoid hard-coded base image tag
- 🔜 Proper LABEL usage
- 🔜 HEALTHCHECK instructions
- 🔜 Signal handling
- 🔜 File permissions
- 🔜 Documentation completeness
❌ TODO: Add example output here
- TypeScript
- Node.js 20+
- npm
# Clone the repository
git clone https://github.com/joao-pedro-rdo/scan-dockerfile.git
cd scan-dockerfile
# Install dependencies
npm install
├── src/
│ ├── index.ts # Main entry point
│ ├── linterRules/ # Linter rules
│ ├── refactor/ # Refactoring logic
│ ├── reporters/ # Reporting logic
│ └── adapters/ # GitHub API interactions
│ └── contracts/ # TypeScript interfaces
│ └── utils.ts # Utility functions
├── dist/ # Compiled JavaScript
├── action.yml # Action metadata
└── README.md
# Build TypeScript to JavaScript
npm run build
Note
The pipeline will automatically build the project on push.
I am using repository dispatch events to trigger tests in another repository, you can check it out (workflows/build.yml)
## 📚 Examples
### 🚧 Basic PR Comment 🚧
```yaml
name: Dockerfile Review
on:
pull_request:
paths:
- "**/Dockerfile*"
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: joao-pedro-rdo/scan-dockerfile@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
create-issue: false
- Hadolint Action
- dockerfile-ast - TypeScript library for Dockerfile parsing (used internally)
This project uses the following open-source libraries:
- dockerfile-ast by Remy Suen - A comprehensive TypeScript library for parsing and analyzing Dockerfiles. Licensed under MIT.
- LangChain - Framework for developing applications with language models.
This project is licensed under the Apache 2.0 - see the LICENSE file for details.
Made by João Pedro