All Posts
Product
Releases
Docker

Release: Static analysis for Dockerfile

Sanket
November 20, 2019

Release: Static analysis for Dockerfile

If you are shipping code to production today, there are very high chances that you've been using Docker to containerize your application so it runs reliably in all environments — local, staging, production, and anything in the middle. With Dockerfiles becoming a regular feature in most projects, it is important to ensure that you're shipping good Dockerfiles as well.

DeepSource now supports continuous static analysis for Dockerfiles, with 70+ issues like bug risks, anti-patterns, security vulnerabilities, and performance optimizations detected.

Using the Docker analyzer

To start analyzing your Dockerfiles, just enable the docker analyzer in your .deepsource.toml file, and you are good to go.

By default, DeepSource analyzes the Dockerfile present in your repository's root. If you have a different name for your Dockerfile, or have many of them, you can specify the paths explicitly in the meta. You can also optionally define the trusted registries if you're pulling images from a 3rd-party image registry.

Sample configuration


version = 1

[[analyzers]]
name = "docker"
enabled = true

  [analyzers.meta]
  dockerfile_paths = [  # optional
    "dockerfile_dev",
    "dockerfile_prod"
  ]

  trusted_registries = [  # optional
    "my-registry.com",
    "docker.io"
  ]

Look at the docs for more details.

Issues detected by the Docker analyzer

At the time of writing this, the analyzer detects 70+ issues in your Dockerfile, of categories like bug risks, anti-patterns, security vulnerabilities, and performance optimizations. Here's some of them to give you an idea:

Security issues:

  • Last user should not be root
  • Use only an allowed registry in the FROM image

Bug risks:

  • COPY --from should reference a previously defined FROM alias
  • Multiple ENTRYPOINT instructions detected
  • Multiple CMD instructions detected

Performance issues:

  • Use COPY instead of ADD for files and folders
  • Use ADD for extracting archives into an image
  • Delete the apt-get lists after installing something

We're super excited about this release, and we hope this will help you avoid many gotchas and security issues with your Docker containers. Head over to the docs or tell us what you think!

More from DeepSource

From Zero To Secure
From Zero To Secure
A guide to risk-free SAST implementation for AppSec teams.
Code Security
SAST
Introducing, DeepSource Runner
Introducing, DeepSource Runner
Run DeepSource with SaaS convenience and on-premise security
Announcements
Platform Engineering

Get started with DeepSource

DeepSource is free forever for small teams and open-source projects. Start analyzing your code in less than 2 minutes.

CHOOSE AN ACCOUNT
GitHub
GitLab
Bitbucket

Newsletter

Read product updates, company announcements, how we build DeepSource, what we think about good code, and more.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
platform
resources
company
support
PLATFORM
Platform Overview Pricing
Static Analysis
SAST
Autofix™️
IaC Analysis
Reports
Code Coverage
Self-hosting
IDE
RoadmapChangelog
resources
BlogGlossaryGood Code PodcastGood First IssueSpotlight
State of Code Health
State of Go
OWASP® Top 10 Whitepaper
company
AboutSecurityTrust Reports
Jobs
Press EnquiriesBrand AssetsTermsPrivacy
support
DocumentationSystem StatusContact SalesCommunity Forum
© 2023 DeepSource Corp. All rights reserved.