Make your Dockerfile better with DeepSource

Use the Docker analyzer.

  • By Kaustav
  • ·
  • Product
  • Analyzers
  • Docker
Last updated Jun 18, 2020

DeepSource can analyze more than just the code you write in programming languages like Python or Go, (or JavaScript). Software organizations today prefer to write tooling and infrastructure configuration as code.1 We have been working on releasing, and improving, analyzers that scan configurations for tools. Docker is one of those tools which, to put it simply, a lot of us use.2

DeepSource has supported analyzing Dockerfiles in repositories for a while now. So far, the Docker analyzer has detected over four thousand issues in Dockerfiles across 150+ repositories. 3

If you are already using DeepSource, know that you can enable multiple analyzers for every repository, and Docker can be one of them. If you don't use DeepSource already, you can start here.

Enabling the Docker analyzer

If you already have DeepSource installed, you can add the Docker analyzer from the "Generate Configuration" page. If you prefer to do this manually, skip this part.

Specifying configuration manually

You can enable the Docker analyzer to run for your repository's analysis by adding this configuration to the .deepsource.toml file in your repository:

[[analyzers]]
name = "docker"
enabled = true

These three lines add a new entry to the analyzers array in the TOML configuration, with two properties: name and enabled. Here, name = "docker" tells DeepSource to use Docker analyzer.

When you enable multiple analyzers, each of them should get their own [[analyzers]] block in the configuration file.

This will work out of the box if don't use custom file paths or file names to for your Dockerfiles.

Specify custom file path

In case you have your Dockerfiles in non-default locations, anything other than Dockerfile at the root of your repository, you can specify the location of these files through additional configuration. To do this, you add a dockerfile_paths array to the the otherwise optional meta table in the same block.

Say, you have multiple Dockerfiles as ./env/Dockerfile_dev and ./env/Dockerfile_prod, you can write them as:

[[analyzers]]
name = "docker"
enabled = true

  [analyzers.meta]
  dockerfile_paths = [
    "./env/Dockerfile_dev",
    "./env/Dockerfile_prod"
  ]

Commit updated configuration file

You will need to commit the updated configuration file in your repo for DeepSource to pick up the changes. After that, DeepSource will keep a watch out for issues in your Docker configuration.

Demo repository

I have created a demo repository to show the simplest possible Docker integration for DeepSource. You can take a look at the issues DeepSource found in the Dockerfile in that repo.

Docker demo repository analysis dashboard

What's next


Footnotes

  1. See Hashicorp's resource page on "Infrastructure as Code: What Is It? Why Is It Important?".
  2. This GitHub search for Dockerfile says it has 3.6M+ occurrences across 46K+ repositories. That's quite a lot.
  3. When we compared these numbers with the number of repositories that use either Python or Go analyzers, we found that a lot of these repositories have Dockerfiles in them, but they did not enable analysis for their Dockerfiles. Turns out we haven't communicated clearly that you can combine analyzers in your .deepsource.toml file.

Ship clean and secure code.