Release: Static analysis for Dockerfile
If you are shipping code to production today, there are very high chances that you've been using Docker to containerize your application so it runs reliably in all environments — local, staging, production, and anything in the middle. With Dockerfiles becoming a regular feature in most projects, it is important to ensure that you're shipping good Dockerfiles as well.
DeepSource now supports continuous static analysis for Dockerfiles, with 70+ issues like bug risks, anti-patterns, security vulnerabilities, and performance optimizations detected.
Using the Docker analyzer
To start analyzing your Dockerfiles, just enable the
docker analyzer in your
.deepsource.toml file, and you are good to go.
By default, DeepSource analyzes the
Dockerfile present in your repository's root. If you have a different name for your Dockerfile, or have many of them, you can specify the paths explicitly in the
meta. You can also optionally define the trusted registries if you're pulling images from a 3rd-party image registry.
version = 1 [[analyzers]] name = "docker" enabled = true [analyzers.meta] dockerfile_paths = [ # optional "dockerfile_dev", "dockerfile_prod" ] trusted_registries = [ # optional "my-registry.com", "docker.io" ]
Look at the docs for more details.
Issues detected by the Docker analyzer
At the time of writing this, the analyzer detects 70+ issues in your
Dockerfile, of categories like bug risks, anti-patterns, security vulnerabilities, and performance optimizations. Here's some of them to give you an idea:
- Last user should not be
- Use only an allowed registry in the
COPY --fromshould reference a previously defined
ADDfor files and folders
ADDfor extracting archives into an image
- Delete the
apt-getlists after installing something