dockmoor icon indicating copy to clipboard operation
dockmoor copied to clipboard

Published 20 hours ago verified publisher icon MeneDev

Metadata

Manage docker image references

:branch: master

== dockmoor image:https://github.com/MeneDev/dockmoor/workflows/Go/badge.svg?branch={branch}[Build Status (GitHub Actions), link=https://github.com/MeneDev/dockmoor/actions] image:https://img.shields.io/coveralls/github/MeneDev/dockmoor/{branch}.svg[Coveralls statement coverage, link=https://coveralls.io/github/MeneDev/dockmoor] image:https://goreportcard.com/badge/github.com/MeneDev/dockmoor[Go Report Card, https://goreportcard.com/report/github.com/MeneDev/dockmoor] image:https://img.shields.io/github/release/MeneDev/dockmoor.svg["GitHub release",link="https://github.com/MeneDev/dockmoor/releases"] image:https://img.shields.io/twitter/follow/MeneDev.svg?style=social&label=%40MeneDev[Follow @MeneDev on Twitter, link=https://twitter.com/MeneDev]

Once you found a nice dock, it's time to moor :anchor: + dockmoor helps you to create reproducible builds with Docker.

Warning This is currently unmaintained. Tracking docker as a dependency was a mistake.

Renovate bot has a similar feature: https://docs.renovatebot.com/docker/#digest-pinning

== Features

Implemented

  • pin image references to currently used image via digest to make builds reproducible ** works with (remote) docker daemon and docker registry (e.g. docker hub)
  • list image references
  • find Dockerfiles
  • filter by various predicates, e.g. untagged, latest, RegEx-match

Upcoming

  • amend missing tags
  • find outdated image references
  • other formats: docker-compose, GitLab CI, Circle CI, Travis CI, ...

[[_examples]] == Examples

Note: all digests are abbreviated for better readability

[[pin-command-examples]] === pin command

The pin command queries a Docker daemon (local or remote) or a docker registry (e.g. docker hub) for images matching the used image references and pins the image reference by appending the digest.

Note the Docker daemon is used by default, but only knows pulled images!

[[_pin_well_known_image_references]] ==== Pin well-known image references

[subs=+macros] .... dockmoor pin https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/pin-examples/Dockerfile-nginx[pin-examples/Dockerfile-nginx] ....

Given the following multi-stage dockerfile:

[source,Dockerfile]

originally untagged

FROM nginx

originally tagged 1.15

FROM nginx:1.15

originally tagged 1

FROM nginx:1

originally tagged 1.15-alpine-perl

FROM nginx:1.15-alpine-perl

RUN something

File after execution:

[source,Dockerfile]

originally untagged

FROM nginx@sha256:31b..91

originally tagged 1.15

FROM nginx:1.15@sha256:31b..91

originally tagged 1

FROM nginx:1@sha256:31b..91

originally tagged 1.15-alpine-perl

FROM nginx:1.15-alpine-perl@sha256:9c6..ae

RUN something

stdout is empty + stderr is empty + exit code: 0

[[_pin_all_image_references_in_a_dockerfile_using_a_docker_registry]] ==== Pin all image references in a dockerfile using a docker registry

[subs=+macros] .... dockmoor pin --resolver=registry https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/pin-examples/Dockerfile-testimagea[pin-examples/Dockerfile-testimagea] ....

File before execution:

[source,Dockerfile]

FROM menedev/testimagea:1 FROM menedev/testimagea:1.0 FROM menedev/testimagea:1.0.0 FROM menedev/testimagea:1.0.1 FROM menedev/testimagea:1.1.0 FROM menedev/testimagea:1.1.1 FROM menedev/testimagea:2 FROM menedev/testimagea:2.0 FROM menedev/testimagea:2.0.0 FROM menedev/testimagea:latest FROM menedev/testimagea

RUN something

File after execution:

[source,Dockerfile]

FROM menedev/testimagea:1@sha256:1e2..24 FROM menedev/testimagea:1.0@sha256:c27..4b FROM menedev/testimagea:1.0.0@sha256:f38..df FROM menedev/testimagea:1.0.1@sha256:c27..4b FROM menedev/testimagea:1.1.0@sha256:bf1..96 FROM menedev/testimagea:1.1.1@sha256:1e2..24 FROM menedev/testimagea:2@sha256:3d4..a1 FROM menedev/testimagea:2.0@sha256:3d4..a1 FROM menedev/testimagea:2.0.0@sha256:3d4..a1 FROM menedev/testimagea:latest@sha256:3d4..a1 FROM menedev/testimagea@sha256:3d4..a1

RUN something

stdout is empty + stderr is empty + exit code: 0

[[_pin_image_references_with_latest_or_no_tag_in_a_dockerfile]] ==== Pin image references with latest or no tag in a dockerfile

[subs=+macros] .... dockmoor pin --latest https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/pin-examples/Dockerfile-testimagea[pin-examples/Dockerfile-testimagea] ....

File after execution:

[source,Dockerfile]

FROM menedev/testimagea:1 FROM menedev/testimagea:1.0 FROM menedev/testimagea:1.0.0 FROM menedev/testimagea:1.0.1 FROM menedev/testimagea:1.1.0 FROM menedev/testimagea:1.1.1 FROM menedev/testimagea:2 FROM menedev/testimagea:2.0 FROM menedev/testimagea:2.0.0 FROM menedev/testimagea:latest@sha256:3d4..a1 FROM menedev/testimagea@sha256:3d4..a1

RUN something

stdout is empty + stderr is empty + exit code: 0

[[list-command-examples]] === list command

All single file examples refer to https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[a multi-stage build Dockerfile]

[[_list_all_image_references_where_the_tag_ends_in_test]] ==== List all image references where the tag ends in -test

Surrounding strings with / enables regular expression based matching.

[subs=+macros] .... dockmoor list --tag=/-test$/ https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] ....

stdout:

[subs=+macros] .... image-name:1.12-test image-name:1.11-test docker.io/library/image-name:latest-test example.com/image-name:1.12-test example.com/image-name:latest-test@sha256:2c4..cf ....

stderr is empty + exit code: 0

[[_list_all_image_references_with_latest_or_no_tag_from_a_specific_domain_in_file]] ==== List all image references with latest or no tag from a specific domain in file

You can use multiple predicates to filter the matching image references. In this example the domain predicate is used together wih the latest predicate. Predicates are connected to a conjunction: all predicates must match.

[subs=+macros] .... dockmoor list --domain=example.com --latest https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] ....

stdout:

[subs=+macros] .... example.com/image-name:latest@sha256:2c4..cf example.com/other-image example.com/other-image:latest ....

stderr is empty + exit code: 0

[[_list_all_image_references_in_file]] ==== List all image references in file

[subs=+macros] .... dockmoor list https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] ....

stdout:

[subs=+macros] .... image-name image-name:latest image-name:1.12 image-name:1.12-test image-name:1.11-test image-name@sha256:2c4..cf docker.io/library/image-name:1.12@sha256:2c4..cf docker.io/library/image-name docker.io/library/image-name:latest docker.io/library/image-name:latest-test example.com/image-name:1.12 example.com/image-name:1.12-test example.com/image-name:1.12-testing example.com/image-name:latest@sha256:2c4..cf example.com/image-name:latest-test@sha256:2c4..cf example.com/image-name@sha256:2c4..cf example.com/other-image example.com/other-image:latest ....

stderr is empty + exit code: 0

[[_list_all_image_references_with_latest_or_no_tag_in_file]] ==== List all image references with latest or no tag in file

[subs=+macros] .... dockmoor list --latest https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] ....

stdout:

[subs=+macros] .... image-name image-name:latest docker.io/library/image-name docker.io/library/image-name:latest example.com/image-name:latest@sha256:2c4..cf example.com/other-image example.com/other-image:latest ....

stderr is empty + exit code: 0

[[_list_all_unpinned_image_references]] ==== List all unpinned image references

[subs=+macros] .... dockmoor list --unpinned https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] ....

stdout:

[subs=+macros] .... image-name image-name:latest image-name:1.12 image-name:1.12-test image-name:1.11-test docker.io/library/image-name docker.io/library/image-name:latest docker.io/library/image-name:latest-test example.com/image-name:1.12 example.com/image-name:1.12-test example.com/image-name:1.12-testing example.com/other-image example.com/other-image:latest ....

stderr is empty + exit code: 0

[[_use_unix_find_to_list_all_unpinned_image_references]] ==== Use unix find to list all unpinned image references

[subs=+macros] .... find some-folder -type f -exec dockmoor list --unpinned {} ; | sort | uniq ....

stdout:

[subs=+macros] .... nginx nginx:1.15.3 nginx:latest ....

stderr is empty + exit code: 0

[[_use_unix_find_to_list_all_image_references_with_latestno_tags]] ==== Use unix find to list all image references with latest/no tags

[subs=+macros] .... find https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/[some-folder/] -type f -exec dockmoor list --latest {} ; | sort | uniq ....

stdout:

[subs=+macros] .... nginx nginx:latest ....

stderr is empty + exit code: 0

[[_use_unix_find_to_list_all_image_references]] ==== Use unix find to list all image references

[subs=+macros] .... find https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/[some-folder/] -type f -exec dockmoor list {} ; | sort | uniq ....

stdout:

[subs=+macros] .... nginx nginx:1.15.3 nginx:1.15.3-alpine@sha256:2c4..cf nginx:latest nginx@sha256:db5..44 ....

stderr is empty + exit code: 0

[[contains-command-examples]] === contains command

[[_use_unix_find_to_list_all_files_containing_unpinned_references]] ==== Use unix find to list all files containing unpinned references

[subs=+macros] .... find some-folder -type f -exec dockmoor contains --unpinned {} ; -print ....

stdout:

[subs=+macros] .... https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-latest[some-folder/Dockerfile-nginx-latest] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-1.15.3[some-folder/Dockerfile-nginx-1.15.3] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-untagged[some-folder/Dockerfile-nginx-untagged] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/subfolder/Dockerfile-nginx-latest[some-folder/subfolder/Dockerfile-nginx-latest] ....

stderr is empty + exit code: 0

[[_use_unix_find_to_list_all_files_containing_latestno_tags]] ==== Use unix find to list all files containing latest/no tags

[subs=+macros] .... find some-folder -type f -exec dockmoor contains --latest {} ; -print ....

stdout:

[subs=+macros] .... https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-latest[some-folder/Dockerfile-nginx-latest] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-untagged[some-folder/Dockerfile-nginx-untagged] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/subfolder/Dockerfile-nginx-latest[some-folder/subfolder/Dockerfile-nginx-latest] ....

stderr is empty + exit code: Unresolved directive in cmdContains.adoc - include::../end-to-end/results/containsLatestInFolder.exitCode[]

[[_use_unix_find_to_list_all_supported_files]] ==== Use unix find to list all supported files

[subs=+macros] .... find some-folder -type f -exec dockmoor contains {} ; -print ....

stdout:

[subs=+macros] .... https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-latest[some-folder/Dockerfile-nginx-latest] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-1.15.3[some-folder/Dockerfile-nginx-1.15.3] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-tagged-digest[some-folder/Dockerfile-nginx-tagged-digest] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-untagged[some-folder/Dockerfile-nginx-untagged] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/Dockerfile-nginx-digest[some-folder/Dockerfile-nginx-digest] https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/subfolder/Dockerfile-nginx-latest[some-folder/subfolder/Dockerfile-nginx-latest] ....

stderr is empty + exit code: 0

[[_test_the_format_of_a_file]] ==== Test the format of a file

The contains command returns with exit code 0 when an image reference was found that matches. Using the --any predicate allows to match any file with a supported format that contains at least one image reference.

[subs=+macros] .... dockmoor contains https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] ....

stdout is empty + stderr is empty + exit code: 0

[subs=+macros] .... dockmoor contains https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/some-folder/NotADockerfile[some-folder/NotADockerfile] ....

stdout is empty + stderr is empty + exit code: 4

[[_supported_formats]] == Supported Formats

  • https://github.com/MeneDev/dockmoor/blob/master/cmd/dockmoor/end-to-end/Dockerfile[Dockerfile] (as used by docker build)

[[_usage]] == Usage

dockmoor [OPTIONS] <link:#contains-command[contains] | link:#list-command[list] | link:#pin-command[pin]> [command-OPTIONS]

[[_application_options]] == Application Options

-l, --log-level Sets the log-level (one of NONE, ERROR, WARN, INFO, DEBUG)

--version Show version and exit

[[_commands]] === Commands

  • link:#contains-command[contains]
  • link:#list-command[list]
  • link:#pin-command[pin]

[[_contains_command]] ==== contains command

dockmoor [OPTIONS] contains [contains-OPTIONS] InputFile

Test if a file contains image references with matching predicates. Returns exit code 0 when the given input contains at least one image reference that satisfy the given conditions and is of valid format, non-null otherwise

[[_domain_predicates]] ===== Domain Predicates

Limit matched image references depending on their domain

--domain Matches all images matching one of the specified domains. Surround with '/' for regex i.e. /regex/.

[[_name_predicates]] ===== Name Predicates

Limit matched image references depending on their name

--name Matches all images matching one of the specified names (e.g. "docker.io/library/nginx"). Surround with '/' for regex i.e. /regex/.

-f, --familiar-name Matches all images matching one of the specified familiar names (e.g. "nginx"). Surround with '/' for regex i.e. /regex/.

--path Matches all images matching one of the specified paths (e.g. "library/nginx"). Surround with '/' for regex i.e. /regex/.

[[_tag_predicates]] ===== Tag Predicates

Limit matched image references depending on their tag

--untagged Matches images with no tag

--latest Matches images with latest or no tag. References with digest are only matched when explicit latest tag is present.

--tag Matches all images matching one of the specified tag. Surround with '/' for regex i.e. /regex/.

[[_digest_predicates]] ===== Digest Predicates

Limit matched image references depending on their digest

--unpinned Matches unpinned image references, i.e. image references without digest.

--digest Matches all image references with one of the provided digests.

[[_list_command]] ==== list command

dockmoor [OPTIONS] list [list-OPTIONS] InputFile

List image references with matching predicates. Returns exit code 0 when the given input contains at least one image reference that satisfy the given conditions and is of valid format, non-null otherwise

[[_domain_predicates_2]] ===== Domain Predicates

Limit matched image references depending on their domain

--domain Matches all images matching one of the specified domains. Surround with '/' for regex i.e. /regex/.

[[_name_predicates_2]] ===== Name Predicates

Limit matched image references depending on their name

--name Matches all images matching one of the specified names (e.g. "docker.io/library/nginx"). Surround with '/' for regex i.e. /regex/.

-f, --familiar-name Matches all images matching one of the specified familiar names (e.g. "nginx"). Surround with '/' for regex i.e. /regex/.

--path Matches all images matching one of the specified paths (e.g. "library/nginx"). Surround with '/' for regex i.e. /regex/.

[[_tag_predicates_2]] ===== Tag Predicates

Limit matched image references depending on their tag

--untagged Matches images with no tag

--latest Matches images with latest or no tag. References with digest are only matched when explicit latest tag is present.

--tag Matches all images matching one of the specified tag. Surround with '/' for regex i.e. /regex/.

[[_digest_predicates_2]] ===== Digest Predicates

Limit matched image references depending on their digest

--unpinned Matches unpinned image references, i.e. image references without digest.

--digest Matches all image references with one of the provided digests.

[[_pin_command]] ==== pin command

dockmoor [OPTIONS] pin [pin-OPTIONS] InputFile

Change image references to a more reproducible format

[[_domain_predicates_3]] ===== Domain Predicates

Limit matched image references depending on their domain

--domain Matches all images matching one of the specified domains. Surround with '/' for regex i.e. /regex/.

[[_name_predicates_3]] ===== Name Predicates

Limit matched image references depending on their name

--name Matches all images matching one of the specified names (e.g. "docker.io/library/nginx"). Surround with '/' for regex i.e. /regex/.

-f, --familiar-name Matches all images matching one of the specified familiar names (e.g. "nginx"). Surround with '/' for regex i.e. /regex/.

--path Matches all images matching one of the specified paths (e.g. "library/nginx"). Surround with '/' for regex i.e. /regex/.

[[_tag_predicates_3]] ===== Tag Predicates

Limit matched image references depending on their tag

--untagged Matches images with no tag

--latest Matches images with latest or no tag. References with digest are only matched when explicit latest tag is present.

--tag Matches all images matching one of the specified tag. Surround with '/' for regex i.e. /regex/.

[[_digest_predicates_3]] ===== Digest Predicates

Limit matched image references depending on their digest

--unpinned Matches unpinned image references, i.e. image references without digest.

--digest Matches all image references with one of the provided digests.

[[_reference_format]] ===== Reference format

Control the format of references, defaults are sensible, changes are not recommended

--force-domain Includes domain even in well-known references

--no-name Formats well-known references as digest only

--no-tag Don't include the tag in the reference

--no-digest Don't include the digest in the reference

[[_pin_options]] ===== Pin Options

Control how the image references are resolved

-r, --resolver Strategy to resolve image references (one of dockerd, registry)

--tag-mode Strategy to resolve image references (one of unchanged)

[[_output_parameters]] ===== Output parameters

Output parameters

-o, --output Output file to write to. If empty, input file will be used.

[[_building_locally_and_contributing]] == Building locally and Contributing

Appreciated! See link:CONTRIBUTING.md[CONTRIBUTING] for details.

[[_roadmap]] == Roadmap

Currently dockmoor is in a very eraly stage and under constant development.

To get an idea where the journey will go, take a look at the link:ROADMAP.md[Roadmap]

Metadata

16
Stars
5
Forks
Watchers

Owner

verified publisher icon MeneDev

Metadata

Manage docker image references

Back