Container Base Image Linter
A VS Code/Cursor extension that validates Dockerfile base images against an approved list to ensure security and compliance.
Features
- 🔍 Real-time linting of Dockerfile base images
- ⚡ Quick fixes with smart suggestions via lightbulb (💡) code actions
- 🎯 Intelligent matching - suggests similar approved images (e.g.,
python:2.7 → python:3.11, python:3.12)
- 🚀 Zero configuration - approved list is managed centrally via extension updates
- ✅ Multi-stage build support - validates all FROM statements
- 🔄 Auto-activation - works on any Dockerfile automatically
How It Works
When you open a Dockerfile, the extension:
- Scans all
FROM statements
- Checks if base images are in the approved list
- Shows red error squiggles for unapproved images
- Provides one-click quick fixes to replace with approved alternatives
Example
# ❌ This will show an error
FROM python:2.7
# ✅ This is approved
FROM python:3.11
Click the lightbulb (💡) or press Cmd+. (Mac) / Ctrl+. (Windows/Linux) on the error to see suggested fixes.
Approved Base Images
View the current list:
- Check
src/approvedImages.ts in the repository
- Or run the command "Show Approved Base Images" in VS Code/Cursor
Special Cases
scratch - Always allowed (minimal base image)- Build arguments (e.g.,
FROM ${BASE_IMAGE}) - Ignored
Commands
- Show Approved Base Images - Display the full list of approved images
Press Cmd+Shift+P (Mac) / Ctrl+Shift+P (Windows/Linux) and type "Show Approved Base Images"
Installation
From Marketplace
- Open VS Code/Cursor
- Go to Extensions (Cmd+Shift+X / Ctrl+Shift+X)
- Search for "Container Base Image Linter"
- Click Install
From VSIX
code --install-extension container-base-image-linter-0.1.0.vsix
Development
Prerequisites
Setup
git clone https://github.com/raphsutti/sec-container-base-image-linter.git
cd sec-container-base-image-linter
pnpm install
Run Extension
Press F5 to open Extension Development Host
Build
pnpm run compile
Package
pnpm run package
Release/Publishing
Publishing a New Version
Update version number in package.json:
"version": "0.1.2" // Increment version
Update release notes in README.md under Release Notes section
Build and package:
pnpm run package # Type check, lint, and production build
pnpm vsce package # Creates .vsix file
Upload to marketplace:
Wait for verification (~5-15 minutes)
Version Numbering
- Patch (0.1.0 → 0.1.1): Bug fixes, minor changes
- Minor (0.1.0 → 0.2.0): New features, backward compatible
- Major (0.1.0 → 1.0.0): Breaking changes
Alternative: CLI Publishing (requires Personal Access Token)
pnpm vsce login RaphaelSuttiyotin
pnpm vsce publish patch # or minor/major
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
License
MIT
Release Notes
0.1.2
- Added more approved base images
0.1.1
- Fixed: Support for digest-based images (e.g.,
node:24-slim@sha256:...)
- Added: More Node.js versions (21, 23, 24)
- Added: Python 3.15
- Added: Extension icon
0.1.0
Initial release:
- Real-time Dockerfile base image linting
- Quick fix code actions with smart suggestions
- Support for multi-stage builds
- Hardcoded approved base images list (Python, Node.js, Ubuntu, Alpine, Debian)
Following extension guidelines
Ensure that you've read through the extensions guidelines and follow the best practices for creating your extension.
Working with Markdown
You can author your README using Visual Studio Code. Here are some useful editor keyboard shortcuts:
- Split the editor (
Cmd+\ on macOS or Ctrl+\ on Windows and Linux).
- Toggle preview (
Shift+Cmd+V on macOS or Shift+Ctrl+V on Windows and Linux).
- Press
Ctrl+Space (Windows, Linux, macOS) to see a list of Markdown snippets.
