Skip to content

How to Fix Dockle Container Image Lint Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Dockle Container Image Lint Error. We cover key concepts, practical examples, and best practices.

Dockle returns FATAL: fail to scan or shows multiple FATAL-level CIS benchmark violations — the container image has security issues like running as root, missing user directives, or excessive capabilities.

The Problem

$ dockle nginx:latest
FATAL  - CIS-DI-0001: Do not run container as root
        * Last user should not be root
WARN   - CIS-DI-0005: Export port 80
        * Export port 80 explicitly

Step-by-Step Fix

Step 1: Fix Dockerfile to avoid root

FROM node:20-alpine

RUN addgroup -S appgroup && adduser -S appuser -G appgroup

COPY --chown=appuser:appgroup . /app
WORKDIR /app
USER appuser

EXPOSE 3000
CMD ["node", "app.js"]

Step 2: Add HEALTHCHECK

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

Step 3: Fix file permissions

RUN chmod 644 /app/config/*.json && \
    chmod 755 /app/scripts/*.sh

Step 4: Remove unnecessary packages

FROM alpine:3.18
RUN apk add --no-cache --virtual .build-deps build-base && \
    make && \
    apk del .build-deps

Step 5: Run Dockle with ignore flags

# Ignore specific checks
dockle --ignore CIS-DI-0005 nginx:latest

# Accept risks
dockle --accept-key "reject" nginx:latest

Step 6: Create .dockleignore

echo "CIS-DI-0005" > .dockleignore
echo "CIS-DI-0006" >> .dockleignore

Prevention Tips

  • Always end Dockerfiles with a USER directive (not root)
  • Add explicit HEALTHCHECK to every image
  • Remove package managers and build tools from production images
  • Run Dockle as part of CI/CD pipeline

Common Mistakes with image check

  1. Using return to exit a function early instead of wrapping a pure value in the monad
  2. Mixing let bindings with <- bindings in do notation, producing type errors
  3. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors

These mistakes appear frequently in real-world DOCKLE code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is Dockle and what does it check?

Dockle is a container image linter that checks against CIS Docker benchmarks. It verifies root user usage, exposed ports, file permissions, healthchecks, and security-related Dockerfile best practices. Scores range from A (best) to F (worst).

How do I achieve an A rating on Dockle?

Use a non-root user (USER), add HEALTHCHECK, explicitly EXPOSE ports, remove unused packages, set appropriate file permissions, and avoid storing secrets in environment variables. Run dockle image:tag and fix each FATAL finding.

Can I ignore certain Dockle findings?

Yes, use --ignore CIS-DI-0005 to skip specific checks, or create a .dockleignore file. This is useful for images that intentionally run as root in controlled environments.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro