Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageDetected `$` on the left side of assignmentDOK-SC1066Invalid case used for command/syntaxDOK-SC1081Command does not make sense in a containerDOK-DL3001User should not be `root` when the Dockerfile completesDOK-DL3002Invalid UNIX port providedDOK-DL3011Open string detectedDOK-SC1078Wrong use of `... && ... ||` syntaxDOK-SC2015Reference to an unassigned variable detectedDOK-SC2154Missing space before `#`DOK-SC1099Useless `cat` detectedDOK-SC2002Pin versions in `gem install`DOK-DL3028Unexpected `==` detectedDOK-SC1097Pin image versions explicitly to a release tagDOK-DL3007Pin versions in `pip`DOK-DL3013Use the `-y` switchDOK-DL3014`COPY --from` should reference a previously defined `FROM` aliasDOK-DL3022`COPY --from` cannot reference its own `FROM` aliasDOK-DL3023`FROM` aliases (stage names) must be uniqueDOK-DL3024Multiple `ENTRYPOINT` instructions detectedDOK-DL4004`eval` used with special charactersDOK-SC1098Consider using `./` or `--` globDOK-SC2035Detected use of `$` in the iterator name of a `for` loopDOK-SC1086Pin specific version in `npm`DOK-DL3016Use `COPY` instead of `ADD` for files and foldersDOK-DL3020Unexpected character detectedDOK-SC1079Use `ADD` to extract archives into an imageDOK-DL3010Pin versions in `apk add`DOK-DL3018Pin versions in `apt get install`DOK-DL3008`COPY` with more than 2 arguments requires the last argument to end with `/`DOK-DL3021Multiple `CMD` instructions detectedDOK-DL4003Set the `SHELL` option `-o pipefail` before using `RUN` with a pipe characterDOK-DL4006Missing spaceDOK-SC1035Spaces detected around `=` in assignmentsDOK-SC1068Consider using braces for expanding an arrayDOK-SC1087Word detected outside the quotesDOK-SC2026Detected use of escape sequences with `echo`DOK-SC2028Possible globbing or word splitting detectedDOK-SC2086Use `cd ... || exit` in case `cd` failsDOK-SC2164Do not use `sudo`DOK-DL3004Possible parameter declaration detectedDOK-SC1065Declare and assign separately to avoid masking of return valuesDOK-SC2155Avoid additional packages by specifying `--no-install-recommends`DOK-DL3015Use arguments JSON notation for CMD and ENTRYPOINT argumentsDOK-DL3025Use `SHELL` to change the default shellDOK-DL4005Consider using quotes to prevent word splittingDOK-SC2046Found reference to `ENV` var within the same stepDOK-E1000Invalid `LABEL` keyDOK-E1001Do not use `zypper dist-upgrade`DOK-W1011`ONBUILD`, `FROM` or `MAINTAINER` triggered from within `ONBUILD` instructionDOK-E1002Pin versions in `yum install`DOK-W1003Pin versions in `zypper install`DOK-W1004Pin versions in `dnf install`DOK-W1005COPY to a relative destination without WORKDIR setDOK-W1006Multiple `HEALTHCHECK` instructionsDOK-W1007Use the `-y` switch for `yum install`DOK-W1008Use the `-y` switch for `dnf install`DOK-W1009Use the `-y` switch for `zypper install`DOK-W1010Always tag the version of an image explicitlyDOK-DL3006Use absolute `WORKDIR`DOK-DL3000Use ` ` ` instead of `´` for command expansionDOK-SC1077Use only an allowed registry in the FROM imageDOK-DL3026Use `WORKDIR` to switch to a directoryDOK-DL3003Use of `&;` detectedDOK-SC1045Avoid cache directory with pip install --no-cache-dir <package>DOK-P1003Missing `yarn cache clean` after `yarn install`DOK-P1005Missing `yum clean all` after `yum install`DOK-P1000Missing `zypper clean` after `zypper install`DOK-P1001Missing `dnf clean all` after `dnf install` commandDOK-P1002Found `useradd` without `-l` flagDOK-P1004Do not use `--platform=` with `FROM`DOK-W1002Unquoted literal string detectedDOK-SC2140Delete the `apt-get` lists after installing anythingDOK-DL3009Unicode non-breaking space detectedDOK-SC1018`$` is not used specially and should therefore be escapedDOK-SC1000Use of deprecated `MAINTAINER` fieldDOK-DL4000Remove space after `=`DOK-SC1007Missing space or linefeed between the function name and bodyDOK-SC1095Do not use `apt`, use `apt-get` or `apt-cache` insteadDOK-DL3027Use the `--no-cache` switchDOK-DL3019Bad use of `{}`DOK-SC1083Use any one of `wget` or `curl` but not bothDOK-DL4001Use semicolon or linefeed before 'done'DOK-SC1010No need of escape sequenceDOK-SC1001Use `wget --progress` to avoid excessively bloated build logsDOK-W1000Found consecutive `RUN` commandsDOK-W1001
Use only an allowed registry in the FROM imageDOK-DL3026
Minor
SecurityUsing the FROM instruction is a huge exercise in trust, you have to trust that a particular version or an image is safe for you to use, and that it will never be retagged maliciously. In order to prevent that, some companies copy trusted images into their own repositories, and reference them directly.
For example, this would be an untrusted image:
FROM randomguy/fancy:10
But after an audit, the company decides to copy the image into their own repository, as it was deemed safe:
FROM my-registry.com/fancy:10
To change the behaviour either add relevant configuration to .deepsource.toml or add a .hadolint.yaml to the root of the project.
Bad Practice
FROM randomguy/python:3.6
Recommended
FROM my-registry.com/python:3.6