Dockerfile analysis is available on SonarQube and SonarCloud


We are happy to announce that you can now scan your Dockerfiles with SonarCloud or SonarQube Community Edition 9.9+ LTS.

Here is the list of the first set of rules provided:

  • S6472: Using ENV to handle secrets is security-sensitive
  • S6469: Permissions of sensitive mount points should be restrictive
  • S6473: Exposing administration services is security-sensitive
  • S6470: Recursively copying context directories is security-sensitive
  • S5332: Using clear-text protocols is security-sensitive
  • S6476: Instructions should be upper case
  • S6471: Running containers as a privileged user is security-sensitive

More rules are coming in a few weeks. Meanwhile, we would be very happy to get your feedback on these rules.