To improve container security, it is very useful to enforce policies on writing Dockerfiles.

Projects to do this are:

• https://github.com/projectatomic/dockerfile_lint
• https://github.com/hadolint/hadolint

These can be both quality lints and security lints. What matters for me specially is security lints that would allow a security team to enforce a specific policy on Dockerfiles.

Unlike most registries, Quay is also in charge of building container images, which means it can also require Dockerfiles to be written in a certain way. In many cases, Quay is the only place where Dockerfiles get centralized and therefore the only place where such linting can be done. Quay can be used as a trusted registry and in cooperation with Open Policy Agent (https://www.openpolicyagent.org/) it can be used to better enforce what code gets in a Kubernetes cluster for example. Open Policy Agent can enforce that images come from a certain registry. And Quay could have a registry endpoint that can't contain images that don't pass the lint passes.

The ideal situation would include both a way to execute an arbitrary linter with an output format and a way to nicely help the developer understand how they can improve their Dockerfile according to the policy with line-by-line information. Say the linter prints to stdout in a documented format on all line X and column Y display Z message, so the developer knows exactly what the lint is about and where.

This means :

• pre-build lint hooks with arbitrary scripts
• implementing UI/UX to review lint results
• parsing for the documented lint result stdout format
• integrating few linters with that format by making pull requests to them
• implement mechanism to re-lint Dockerfiles if linter rules change and warn developer and security team of active violations to solve them ASAP

I am willing to put effort into this! Please suggest ideas if anything here feels off or wrong or if you've had internal plans about this already (couldnt find about it).