
Static Analysis for Dockerfiles - bradleybuda
https://deepsource.io/blog/release-dockerfile-static-analysis/
======
addcn
Static analysis is great here — it’s definitely a constrained domain where it
could shine w/o many of the issues that defined it a decade ago.

I bet you could take this a lot further by incorporating a runtime component
as well. I mean it’s a container — it’s meant to be incrementally built up and
destroyed.

By looking at the state of the container before and after a line you could do
so much.

i.e. This innocent looking apt-get install has the side effect of making X
directory writable.

------
simbakhadder
This is smart, would love if it got smart enough to analyze .dockerignore
files, and (if you're analyzing our code with the rest of your tool anyway)
you could find large files/directories that we COPY/ADD and don't need

~~~
1f60c
What I do, is I start all my .dockerignores with "*" (i.e. ignore everything)
and then selectively un-ignore the files and directories I need to copy.

------
dbaupp
How does this differ to
[https://github.com/hadolint/hadolint](https://github.com/hadolint/hadolint) ?

