►
From YouTube: GitLab linter integration with Hadolint - Enforcing best practices for writing a Dockerfile
Description
For feedback please tag me in an issue opened in the project below @alex-dess (GitLab User)
Links:
Hadolint GitLab: https://gitlab.com/pipeline-components/hadolint
Artifact Reports: https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality
Best Practices from Docker: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
Hadolint: https://github.com/hadolint/hadolint
A
Hey
there
and
Welcome
to
our
quick
video
on
how
to
do
a
custom
scanner,
integration
to
gitlab,
to
enforce
best
practices
for
container
scanning
leveraging
a
popular
linter
for
Docker
files.
So
my
name
is
Alex
Das.
A
If
you
have
feedback
to
the
video,
you
can
tag
me
an
issue
Alex
minus
test,
Dess
on
gitlab
and
I'm,
going
to
link
the
repositories
we're
maintaining
in
regards
of
that
in
the
description.
So
it
is
a
important
thing
to
focus
on
best
practices
when
writing
Docker
files
right.
So
you
shouldn't
use
the
root
user,
for
example,
and
you
shouldn't
use
any
deprecated
things
like,
for
example,
declaring
a
maintainer
for
the
docker
file,
which
is
per
se
deprecated
right
now,
so
I,
just
like
linked
the
best
practices
for
writing.
A
Docker
Falls,
some
of
them
in
here
from
Docker,
docs
directly
and
I,
want
to
make
sure
that
this
is
being
highlighted
to
my
developers
and
me
when
I'm
making
a
mistake
here
so
I
choose
to
integrate
a
hardware
lint
for
that
purpose
and,
as
you
can
see
so,
there's
a
Docker
image
available
for
that.
So
this
will
be
very
easy
for
us
to
integrate.
That
to
our
pipeline
I
don't
want
to
only
integrate
that
to
the
pipeline
and
then
download
an
artifact
where
I
need
to
go
through
and
see.
A
Okay,
there
is
probably
an
issue.
I
want
to
display
that
directly
into
my
merge
request
in
gitlab,
so
I
can
benefit
from
the
immediate
feedback
from
the
scan.
It
is
visible.
The
merge
request
stays
my
single
pane
of
glass
where
I
see
not
only
all
my
security
vulnerabilities,
but
also
the
results
from
a
code
quality
scanning
and
for
me
the
The
Lending
topic
goes
into
the
direction
of
co-quality
and
that's
why
we
are
leveraging
the
code
quality
report
and
the
code
quality
widget
in
order
to
display
our
results.
A
A
That's
all
I
need
to
do
in
order
to
leverage
the
functionality
here,
but
I
need
to
add
something
that
we
get
something
reported
and
what
I
did
is
I
just
added
like
a
deprecated
thing,
which
I
explained
before
so
I
declared
me
as
maintainer
of
that
Docker
file.
So
that
should
be
found
by
our
our
linter
and
that
should
be
reported
to
us.
A
So
let's
go
to
the
overview
here
and
as
you
can
see
so
my
code
quality
widget
directly
in
the
merge
request
here-
tells
me:
okay,
there
is
a
new
finding
in
here.
So
let's
open
that
up
and
I
see
that
okay,
so
you
see
that
my
linter
found
the
issue
saying
like
maintainer
is
deprecated
displaying
where
this
is
the
case.
If
I
go
there,
so
I
can
directly
now
go
in
in
my
IDE,
the
web,
IDE
or
vs
code
fix
that
and
push
the
new
changes.