docker:S6596 false positive "FROM scratch"

dornimaug · April 11, 2024, 1:38pm

SonarQube Community Edition Version 10.3 (build 82913)

When a Dockerfile is analyzed, which contains the following FROM instruction:

FROM scratch

SonarQube says, this is a maintainability issue (rule docker:S6596, “Use a specific version tag for the image.”). But this is perfectly legitimate, because “scratch” is a special image, that is not really an image, but a “no-op”. It also does not have any tags.

See:

https://hub.docker.com/_/scratch

Nils_Werner · April 11, 2024, 2:21pm

Hi @dornimaug,

welcome to the community. Thank you for reporting the false positive. This ticket should solve the problem. We will include it in one of the next iterations of the analyzer.

Best,
Nils