18 security rules from the CIS Docker Benchmark and Liz Rice's Container Security (O'Reilly, 2nd ed.). We flag root users, :latest tags, secrets in ENV, curl-piped installs, and every other classic footgun.
Dockerfile security is dominated by a small number of recurring mistakes — ones that ship images running as root, leak secrets into layer history, or pull in arbitrary code from the internet at build time. This tool encodes 18 of them as deterministic checks.
Every rule has a stable ID so you can reference it in code review or in issue trackers.
SF-DOCK-001 – FROM uses :latest or no tag (builds are not reproducible)SF-DOCK-002 – No USER instruction, or USER root (container runs as root)SF-DOCK-003 – ADD with a remote URL (use COPY + curl with checksum verification)SF-DOCK-004 – sudo inside a RUN (you are already root at build time)SF-DOCK-005 – apt-get install without --no-install-recommendsSF-DOCK-006 – apt-get install without cleanup (rm -rf /var/lib/apt/lists/*)SF-DOCK-007 – Secrets in ENV (password/token/key/secret env names)SF-DOCK-008 – Secrets in ARG (build args are visible in layer metadata)SF-DOCK-009 – COPY . . copies everything (leaks .git, .env, node_modules)SF-DOCK-010 – No HEALTHCHECK definedSF-DOCK-011 – Exposing privileged ports (< 1024) without explanationSF-DOCK-012 – No WORKDIR set (operations run in /)SF-DOCK-013 – chmod 777 or chown root (overly permissive)SF-DOCK-014 – curl | sh or wget | bash (unverified remote execution)SF-DOCK-015 – Base image is full-distro (prefer -slim, -alpine, or distroless)SF-DOCK-016 – Multiple RUN statements that should be combined with &&SF-DOCK-017 – Single-stage build with compilers + runtime (use multi-stage to drop build tools)SF-DOCK-018 – --privileged flag or dangerous capability mentioned in commentsThis is a static linter, not a vulnerability scanner. It does not know whether node:20-alpine has a published CVE — for that you need a database-backed image scanner. Security Factor 365 includes an image scanner that cross-references every base image and RUN apt-get install package against OSV.dev, GHSA, and OSV's malicious-packages feed. It also runs 10 additional scanner engines (SAST, SCA, DAST, IAST, IaC, Secrets, Config, API, AI Security, 12-Factor IaC) on every commit.
SF365's Container scanner runs these 18 rules plus image-level CVE analysis, SBOM generation (SPDX + CycloneDX), and OpenSSF malicious-package lookup on every build, merge, and release.
Start Free Trial →