BuildKit Rules¶
Docker BuildKit's official Dockerfile checks, reimplemented by tally with auto-fix support where available.
Style¶
| Rule | Description | Severity | Auto-fix |
|---|---|---|---|
| StageNameCasing | Stage names should be lowercase | Warning | Yes (--fix) |
| FromAsCasing | AS keyword in FROM should use consistent casing |
Warning | Yes (--fix) |
| ConsistentInstructionCasing | Instructions should be in consistent casing | Warning | Yes (--fix) |
| LegacyKeyValueFormat | Legacy key/value format with whitespace separator should not be used | Warning | Yes (--fix) |
| ExposeProtoCasing | Protocol in EXPOSE should be lowercase | Warning | Yes (--fix) |
| InvalidDefinitionDescription | Comment-based description of an ARG/FROM should follow proper format | Info | Yes (--fix) |
Correctness¶
| Rule | Description | Severity | Auto-fix |
|---|---|---|---|
| NoEmptyContinuation | Empty continuation lines are deprecated | Error | Yes (--fix) |
| DuplicateStageName | Duplicate stage names are not allowed | Error | -- |
| ReservedStageName | Reserved words should not be used as stage names | Error | -- |
| UndefinedArgInFrom | Undefined ARG used in FROM | Warning | -- |
| UndefinedVar | Usage of undefined variable | Warning | -- |
| InvalidDefaultArgInFrom | Default value of ARG used in FROM is not valid | Error | -- |
| InvalidBaseImagePlatform | Base image platform does not match expected target platform | Off | -- |
| ExposeInvalidFormat | EXPOSE should not define IP address or host-port mapping | Warning | -- |
| CopyIgnoredFile | Attempting to COPY file that is excluded by .dockerignore | Warning | -- |
Best Practice¶
| Rule | Description | Severity | Auto-fix |
|---|---|---|---|
| JSONArgsRecommended | JSON arguments recommended for ENTRYPOINT/CMD | Info | Yes (--fix) |
| MaintainerDeprecated | MAINTAINER instruction is deprecated in favor of using label | Warning | Yes (--fix) |
| WorkdirRelativePath | Relative workdir can have unexpected results if the base image changes | Warning | -- |
| MultipleInstructionsDisallowed | Multiple CMD/ENTRYPOINT/HEALTHCHECK in same stage; only last is used | Warning | Yes (--fix) |
| RedundantTargetPlatform | Setting platform to $TARGETPLATFORM in FROM is redundant |
Info | -- |
| FromPlatformFlagConstDisallowed | FROM --platform flag should not use a constant value |
Off | -- |
Security¶
| Rule | Description | Severity | Auto-fix |
|---|---|---|---|
| SecretsUsedInArgOrEnv | Sensitive data should not be used in ARG or ENV | Warning | -- |
These rules are based on Docker's official build checks. tally reimplements them for offline use and adds auto-fix capabilities.