@agentlaunchopsai/dockerignore-guard
v1.0.0
Published
Scan Docker build contexts for missing .dockerignore protections.
Maintainers
Readme
Dockerignore Guard
Dockerignore Guard scans Docker build contexts for missing .dockerignore
protections that can send slow, sensitive, or noisy files into Docker builds.
It runs locally and does not send project contents to any service.
What It Checks
- Dockerfiles that use broad
COPY .orADD .without a.dockerignore - Missing ignores for present high-noise paths such as
.git,node_modules,dist,coverage,.venv, andvendor - Missing ignores for present sensitive files such as
.env,.npmrc,.pypirc, and private-key filenames - Dockerfiles that directly copy sensitive files into the image
- Dockerfile-specific ignore files, such as
build.Dockerfile.dockerignore
Install
npm install -g @agentlaunchopsai/dockerignore-guardLocal development:
npm install
npm test
node src/cli.js .Usage
dockerignore-guard .
dockerignore-guard . --json
dockerignore-guard . --sarif
dockerignore-guard . --no-fail
dockerignore-guard --init
npx @agentlaunchopsai/dockerignore-guard .The CLI exits with 0 when no findings are present, 1 when findings are
present, and 2 for runtime errors. Use --no-fail when a CI job should report
findings without failing the build.
--init prints a conservative .dockerignore baseline:
dockerignore-guard --init > .dockerignoreGitHub code scanning example:
name: dockerignore-guard
on:
pull_request:
push:
branches: [main]
jobs:
scan-docker-context:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
timeout-minutes: 5
steps:
- uses: actions/checkout@v4
- run: npx -y @agentlaunchopsai/dockerignore-guard . --sarif --no-fail > dockerignore-guard.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: dockerignore-guard.sarif
License
MIT
