> ## Documentation Index
> Fetch the complete documentation index at: https://tally.wharflab.com/llms.txt
> Use this file to discover all available pages before exploring further.

# hadolint/DL3026

> Use only an allowed registry in the `FROM` image.

Use only an allowed registry in the `FROM` image.

| Property | Value                           |
| -------- | ------------------------------- |
| Severity | Off                             |
| Category | Security                        |
| Default  | Off (disabled until configured) |

## Description

Using the `FROM` instruction is a significant exercise in trust. Some organizations copy trusted images into their own repositories to prevent
malicious retagging. This rule enforces that only images from explicitly allowed registries are used.

This rule is disabled by default and must be configured with a list of trusted registries to take effect.

## Examples

### Problematic code

```dockerfile theme={null}
FROM randomguy/python:3.6
```

### Correct code

```dockerfile theme={null}
FROM my-registry.com/python:3.6
```

## tally enhancements

tally extends the original Hadolint rule with:

* **Wildcard support**: `*` matches any registry, `*.example.com` matches any subdomain (suffix match), `prefix*` matches registries starting with
  prefix
* **Docker Hub normalization**: `docker.io`, `index.docker.io`, `registry-1.docker.io`, `registry.hub.docker.com`, and `hub.docker.com` are all
  normalized to `docker.io`
* **Stage references**: Automatically skips stage-to-stage references (`FROM stagename`)
* **Scratch always allowed**: The special `scratch` base image is always permitted

### Configuration

```toml theme={null}
[rules.hadolint.DL3026]
severity = "warning"
trusted-registries = ["docker.io", "gcr.io", "*.example.com"]
```

## Reference

* [hadolint/DL3026](https://github.com/hadolint/hadolint/wiki/DL3026)
