Your Dockerfile Scanner Should Break the Build

The problem Last month I shipped docker-scan-lite. It scanned. It warned. Then everyone kept shipping broken images anyway. Because it always exited 0. Green pipeline. Every time. Didn't matter if you had USER root with a hardcoded AWS key. CI said ✅. You shipped it. Warnings without consequences are just noise. Now it breaks the build docker-scan-lite -f Dockerfile --exit-code high One flag. Pipeline stops when it matters. GitHub Action No install step. No binary downloads: - name: Scan Dockerfile uses: nickciolpan/docker-scan-lite@v1 with: dockerfile: Dockerfile fail-on: high Hardcoded secret? Blocked. Running as root? Blocked. Sensitive env var in plaintext? Blocked. Everything else — warnings. You see them, you decide. New checks Missing HEALTHCHECK: ⚠️ [INFO] No HEALTHCHECK instruction found Your orchestrator is flying blind without it. No USER instruction: ⚠️ [MEDIUM] No USER instruction in final stage. Container will run as root by default Not USER root — no USER at all. The sil