Skip to content

hadolint/DL3026

Use only an allowed registry in the FROM image.

Property Value
Severity Off
Category Security
Default Off (disabled until configured)

Description

Using the FROM instruction is a significant exercise in trust. Some organizations copy trusted images into their own repositories to prevent malicious retagging. This rule enforces that only images from explicitly allowed registries are used.

This rule is disabled by default and must be configured with a list of trusted registries to take effect.

Examples

Problematic code

FROM randomguy/python:3.6

Correct code

FROM my-registry.com/python:3.6

tally enhancements

tally extends the original Hadolint rule with:

  • Wildcard support: * matches any registry, *.example.com matches any subdomain (suffix match), prefix* matches registries starting with prefix
  • Docker Hub normalization: docker.io, index.docker.io, registry-1.docker.io, registry.hub.docker.com, and hub.docker.com are all normalized to docker.io
  • Stage references: Automatically skips stage-to-stage references (FROM stagename)
  • Scratch always allowed: The special scratch base image is always permitted

Configuration

[rules.hadolint.DL3026]
severity = "warning"
trusted-registries = ["docker.io", "gcr.io", "*.example.com"]

Reference