diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 18725306..5f5fcbfd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -68,9 +68,6 @@ repos: - id: check-devcontainer name: Check devcontainer description: Checks for existance of .devcontainer.json in the project - - id: check-dockerfile - name: Check Dockerfile - description: Enforce use of Chainguard base images in Dockefiles - id: check-gitsign name: Check gitsign description: Check if the last commit is signed with Sigstore gitsign @@ -85,3 +82,42 @@ repos: name: Verify YAML syntax args: - --allow-multiple-documents +- repo: https://github.com/hadolint/hadolint + rev: v2.12.0 + hooks: + - id: hadolint + # Rules you want to ignore may be found here: https://github.com/hadolint/hadolint?tab=readme-ov-file#rules + name: Dockerfile linter + description: Dockerfile linter following best-practices + args: [--ignore, DL3051] + +- repo: local + hooks: + - name: Check Dockerfile + id: check-dockerfile-sh + entry: bash + args: + - -c + - | + check_dockerfile() { + if [[ $1 == *"Dockerfile"* ]]; then + base_image=$(grep '^FROM' "$1" | awk '{print $2}') + if [[ $base_image != golang:* ]]; then + echo "Error: Base image in $1 is not from cgr.dev/chianguard" + return 1 + fi + fi + return 0 + } + + export -f check_dockerfile + + if find . -type f -exec bash -c 'check_dockerfile "$0"' {} \; | grep -q 'Error'; then + echo "Commit failed due to non-compliant Dockerfile(s)." + exit 1 + fi + + echo "All Dockerfiles are compliant." + exit 0 + language: system + pass_filenames: false \ No newline at end of file