DEV Community

Nick Ciolpan
Nick Ciolpan

Posted on

Your Dockerfile Scanner Should Break the Build

#devops #docker #security #github

The problem

Last month I shipped docker-scan-lite. It scanned. It warned.

Then everyone kept shipping broken images anyway.

Because it always exited 0. Green pipeline. Every time. Didn't matter if you had USER root with a hardcoded AWS key. CI said ✅. You shipped it.

Warnings without consequences are just noise.

Now it breaks the build 

docker-scan-lite -f Dockerfile --exit-code high
Enter fullscreen mode Exit fullscreen mode

One flag. Pipeline stops when it matters.

GitHub Action

No install step. No binary downloads:

- name: Scan Dockerfile
  uses: nickciolpan/docker-scan-lite@v1
  with:
    dockerfile: Dockerfile
    fail-on: high
Enter fullscreen mode Exit fullscreen mode

Hardcoded secret? Blocked.
Running as root? Blocked.
Sensitive env var in plaintext? Blocked.

Everything else — warnings. You see them, you decide.

New checks

Missing HEALTHCHECK:

⚠️ [INFO] No HEALTHCHECK instruction found
Enter fullscreen mode Exit fullscreen mode

Your orchestrator is flying blind without it.

No USER instruction:

⚠️ [MEDIUM] No USER instruction in final stage. Container will run as root by default
Enter fullscreen mode Exit fullscreen mode

Not USER rootno USER at all. The silent default nobody thinks about.

Multi-stage awareness:

FROM golang:1.21 AS builder    # issues here matter less
RUN go build -o /app

FROM alpine:3.18               # this is what ships
COPY --from=builder /app /app
USER appuser
Enter fullscreen mode Exit fullscreen mode

It now knows the difference between a build stage and what actually runs in production.

Less noise

Before, every URL got flagged as a "database connection string":

⚠️ database_url: https://example.com/install.sh
Enter fullscreen mode Exit fullscreen mode

Fixed. Only actual DB protocols now — postgres://, mysql://, mongodb://.

FROM scratch no longer gets flagged as "using latest tag". It's not an image.

Want only the critical stuff?

docker-scan-lite -f Dockerfile --severity high
Enter fullscreen mode Exit fullscreen mode

SARIF output

For GitHub's Security tab:

- name: Scan
  uses: nickciolpan/docker-scan-lite@v1
  with:
    dockerfile: Dockerfile
    format: sarif
    fail-on: ''

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: scan-results.sarif
Enter fullscreen mode Exit fullscreen mode

Dockerfile issues show up next to your CodeQL findings.

Install 

brew upgrade nickciolpan/tap/docker-scan-lite
# or
go install github.com/nickciolpan/docker-scan-lite@latest
Enter fullscreen mode Exit fullscreen mode

Docs: nickciolpan.github.io/docker-scan-lite
GitHub: github.com/nickciolpan/docker-scan-lite

What's the worst thing your CI let through?

Yes, this was written with the help of an LLM. The code too. Are we still pretending that's not how things get built in 2026? Claude wrote most of the implementation, I steered, tested, broke things, and made the decisions.

Top comments (0)