If you are already using DeepSource, know that you can enable multiple analyzers for every repository, and Docker can be one of them. If you don’t use DeepSource already, you can start here.
If you already have DeepSource installed, you can add the Docker analyzer from the “Generate Configuration” page. If you prefer to do this manually, skip this part.
You can enable the Docker analyzer to run for your repository’s analysis by adding this configuration to the
.deepsource.toml file in your repository:
[[analyzers]] name = "docker" enabled = true
These three lines add a new entry to the
analyzers array in the TOML configuration, with two properties:
name = "docker" tells DeepSource to use Docker analyzer.
When you enable multiple analyzers, each of them should get their own
[[analyzers]] block in the configuration file.
This will work out of the box if don’t use custom file paths or file names to for your Dockerfiles.
In case you have your Dockerfiles in non-default locations, anything other than
Dockerfile at the root of your repository, you can specify the location of these files through additional configuration. To do this, you add a
dockerfile_paths array to the the otherwise optional
meta table in the same block.
Say, you have multiple Dockerfiles as
./env/Dockerfile_prod, you can write them as:
[[analyzers]] name = "docker" enabled = true [analyzers.meta] dockerfile_paths = [ "./env/Dockerfile_dev", "./env/Dockerfile_prod" ]
You will need to commit the updated configuration file in your repo for DeepSource to pick up the changes. After that, DeepSource will keep a watch out for issues in your Docker configuration.
See Hashicorp’s resource page on “Infrastructure as Code: What Is It? Why Is It Important?". ↩︎
When we compared these numbers with the number of repositories that use either Python or Go analyzers, we found that a lot of these repositories have Dockerfiles in them, but they did not enable analysis for their Dockerfiles. Turns out we haven’t communicated clearly that you can combine analyzers in your
.deepsource.toml file. ↩︎