hadolint/DL3026

Use only an allowed registry in the FROM image.

Property	Value
Severity	Off
Category	Security
Default	Off (disabled until configured)

Description

Using the FROM instruction is a significant exercise in trust. Some organizations copy trusted images into their own repositories to prevent malicious retagging. This rule enforces that only images from explicitly allowed registries are used. This rule is disabled by default and must be configured with a list of trusted registries to take effect.

Examples

Problematic code

FROM randomguy/python:3.6

Correct code

FROM my-registry.com/python:3.6

tally enhancements

tally extends the original Hadolint rule with:

Wildcard support: * matches any registry, *.example.com matches any subdomain (suffix match), prefix* matches registries starting with prefix
Docker Hub normalization: docker.io, index.docker.io, registry-1.docker.io, registry.hub.docker.com, and hub.docker.com are all normalized to docker.io
Stage references: Automatically skips stage-to-stage references (FROM stagename)
Scratch always allowed: The special scratch base image is always permitted

Configuration

[rules.hadolint.DL3026]
severity = "warning"
trusted-registries = ["docker.io", "gcr.io", "*.example.com"]

Reference

hadolint/DL3026

Overview

Security

Correctness

Performance

Style

GPU / CUDA

PHP

PowerShell

Windows

BuildKit Rules

Hadolint Rules

ShellCheck Rules

hadolint/DL3026

Description

Examples

Problematic code

Correct code

tally enhancements

Configuration

Reference

Overview

Security

Correctness

Performance

Style

GPU / CUDA

PHP

PowerShell

Windows

BuildKit Rules

Hadolint Rules

ShellCheck Rules

​Description

​Examples

​Problematic code

​Correct code

​tally enhancements

​Configuration

​Reference

Description

Examples

Problematic code

Correct code

tally enhancements

Configuration

Reference