DeepSource has supported analyzing Dockerfiles in repositories for a while now. So far, the Docker analyzer has detected over four thousand issues in Dockerfiles across 150+ repositories. 3
If you are already using DeepSource, know that you can enable multiple analyzers for every repository, and Docker can be one of them. If you don't use DeepSource already, you can start here.
Enabling the Docker analyzer
If you already have DeepSource installed, you can add the Docker analyzer from the "Generate Configuration" page. If you prefer to do this manually, skip this part.
Specifying configuration manually
You can enable the Docker analyzer to run for your repository's analysis by adding this configuration to the .deepsource.toml file in your repository:
name = "docker"
enabled = true
These three lines add a new entry to the analyzers array in the TOML configuration, with two properties: name and enabled. Here, name = "docker" tells DeepSource to use Docker analyzer.
When you enable multiple analyzers, each of them should get their own [[analyzers]] block in the configuration file.
This will work out of the box if don't use custom file paths or file names to for your Dockerfiles.
Specify custom file path
In case you have your Dockerfiles in non-default locations, anything other than Dockerfile at the root of your repository, you can specify the location of these files through additional configuration. To do this, you add a dockerfile_paths array to the the otherwise optional meta table in the same block.
Say, you have multiple Dockerfiles as ./env/Dockerfile_dev and ./env/Dockerfile_prod, you can write them as:
This GitHub search for Dockerfile says it has 3.6M+ occurrences across 46K+ repositories. That's quite a lot.↩
When we compared these numbers with the number of repositories that use either Python or Go analyzers, we found that a lot of these repositories have Dockerfiles in them, but they did not enable analysis for their Dockerfiles. Turns out we haven't communicated clearly that you can combine analyzers in your .deepsource.toml file.↩