Healthcheck instructions have not been added to container image
ID |
no_healthcheck |
Severity |
low |
Vendor |
Docker |
Resource |
Networking |
Tags |
reachable |
Description
The HEALTHCHECK instruction to your Docker container images to ensure that health checks are executed against running containers.
Adding a HEALTHCHECK instruction to a container image ensures that the Docker engine periodically runs the specified "health check", to ensure that containers are still available. Based on the results of the health check, the Docker engine could terminate containers which are not responding correctly, and instantiate new ones.
This detector emits a flaw if no HEALTHCHECK instruction is found in the Dockerfile.
Examples
A flaw will be emitted at the first instruction of any Dockerfile without a HEALTHCHECK command.
HEALTHCHECK NONE, which disables any health check inherited from the base image, is allowed if the image does not need health checks, either because it is an image to be composed with other images, or a simple tool instead of a service that runs for a long time and needs to be checked for availability.
|
Mitigation / Fix
# ... rest of commands ...
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1 (1)| 1 | Example using curl. Often a custom health-check tool is used instead. |
As alternative to the HEALTHCHECK command in Dockerfile, health check in docker-compose could be defined in a similar manner:
# Health check, docker-compose version
version: '1.0'
services:
web:
image: my_web_app
build:
context: ./
dockerfile: Dockerfile
restart: unless-stopped
ports:
- "80:80"
healthcheck:
test: curl --fail http://localhost || exit 1
interval: 60s
retries: 5
start_period: 20s
timeout: 10sTo fetch the current status of the health check, docker inspect could be used:
$ docker inspect --format='{{json .State.Health}}' <container>
{"Status":"healthy","FailingStreak":0,"Log":[{...}]}