DockerFile
Dockerfile scanning here focuses on build-time security and hardening:
- Insecure base images or unpinned tags (e.g., latest)
- Risky instructions (ADD remote URLs, shell injection patterns, unsafe permissions)
- Missing best practices (non-root user, minimal base images)
Output
- Issues are attached to Dockerfile lines changed in PRs
- Rule IDs map into your IaC rule catalog (e.g., IAC-DOCKER-00XX or IAC-00XX, depending on your naming scheme)