DL3050 - Superfluous label(s) present

Purpose

Ensure images only carry labels defined in the expected schema when strict validation is enabled.

Scope

Evaluates every LABEL instruction when a label schema is configured and strict mode is active.

Rule Statement (normative)

Emit DL3050 when a LABEL instruction includes a key not present in the configured label schema while strict mode is enabled.

Message: Superfluous label(s) present.

Rationale

Restricting labels to a known set prevents typos and unauthorized metadata from entering images.

Configuration

Provide a label schema and enable strict validation. Without strict mode, this rule is silent.

Detection Logic (high-level)

  1. If strict mode is disabled, no findings are produced.
  2. For each LABEL instruction, extract key/value pairs.
  3. Report DL3050 if any key is absent from the schema (one finding per instruction).

Severity

info

Examples

Non-compliant

Schema: { "org.opencontainers.image.source": string } Dockerfile LABEL org.opencontainers.image.revision="abcd1234"

Compliant

Dockerfile LABEL org.opencontainers.image.source="https://github.com/acme/project"

(c) 2025 Asymmetric Effort, LLC. scaldwell@asymmetric-effort.com Asymmetric Effort logo