[FIRST RELEASE] Sonar Hadolint Plugin 1.0.0

Hi everyone,

We would like to submit a new plugin for SonarQube, hoping it would be useful.
Hadolint is a tool used to analyze Dockerfiles, so the plugin basically parses Hadolint reports, creates a Dockerfile language with metrics & highlightings, and a dedicated Quality Profile.
Here is the required content :

As this is the very first release of this plugin, it should be added to the Plugin Library page, if everything is ok, of course.

Thanks a lot for your feedback on this !


Hi Alexis,

Initial testing is required on our side. So you know, it’ll probably be a few days before I can get to this.


Hi Ann,

Sure, take your time ! :slightly_smiling_face:


I haven’t forgotten you.

Aaand can you point me to a sample project to analyze?


Hi !
Thanks for not forgetting me ! :laughing:

You can use the Sonar Hadolint Plugin projet to test it, as it contains a sample Dockerfile for unit tests purposes.
Just run Hadolint on this file “src/test/resources/project/Dockerfile”, and add the documented options during scanner analysis (here : https://github.com/cnescatlab/sonar-hadolint-plugin#plugins-properties), and you should have some data to test it.

Otherwise, you could use another of our projects, with a Dockerfile in the root directory, here : https://github.com/cnescatlab/docker-cat
This one will trigger quality issues for sure.

Just let me know if you need some help !


Hi Alexis,

Thanks for your patience!

You will have already gotten a review of your PR from GitHub. It looks fairly clean; only a couple things to deal with.

So you know, I’ve checked

  • the bureaucratic requirements - mostly fine. See below
  • your PR - pending requested changes
  • And now I’m on to the plugin itself. Generally this looks pretty good:

Must do

  • Your docs say

    For identified Dockerfiles in your projects, the plugin calculates two metrics : number of comments, and number of lines of code.

    Did you also provide NCLOC_DATA, as described in the requirements?

Nice to have

  • Your docs make it sound like you’ll eventually fire off the Hadolint checker directly. That will be nice. It’s not a stumbling block for Marketplace inclusion, but I know your users will appreciate it

  • Your docs say:

    sonar.lang.patterns.dockerfile :

    • Comma separated list of patterns matching Dockerfiles inside your project.
    • This property MUST be defined if you want the plugin to work.

    It’s not clear to me why you don’t set a sane default (ehm… “Dockerfile”?) for this … the way you did for the report path. :wink:

  • It’s also not clear to me why the property is not configurable via the UI


Hi Ann !

Thanks for your review !

Regarding the PR, I agree with you and will update it accordingly.

Regarding the plugin now :

  • The NCLOC_DATA metric is indeed provided. If you want to be sure, I copy below an extract of our “src/main/java/fr/cnes/sonar/plugins/hadolint/metrics/DockerfileMetrics.java” file, which contains this line :
    linesOfCode.forEach(line -> fileLinesContext.setIntValue(CoreMetrics.NCLOC_DATA_KEY, line, 1));

  • We decided to not implement the call to the hadolint checker in the first version, but it might be a good idea for the next one. Not sure if we have enough time right now to do it, so if you think this could wait, we will schedule this for later.

  • Maybe it’s not clear for you because we just obviously forgot to do it :laughing: I’ll do it quickly then.

  • Again, just a silly oversight :laughing: I’ll do it quickly too.

Now I have some questions for you !
We saw that some modifications should be made to the plugin before being published so… what is the best way to do it regarding our request ?
We will create a new version (1.1.0 ?), but then, should we modify the PR to publish 1.1.0 as the first and only marketplace release ? Or should we put the 1.0.0 as an archived version, and add the 1.1.0 as the last available version ?

Thank you again for the great feedback !


Hi Alexis,

Since you’ve already handled the only must-do (I figured it was there, I just needed to make sure) we can put this version in the Marketplace as-is if you like once the PR is updated.

In fact… I think I’d prefer to do that since I might feel compelled to re-test if you made pre-addition changes. :smile:

The other things can be handled in some future version.


Alright, we can start with this version if it can save you some useful time ! :smiley:
I will create issues to work on these topics later then…
The PR should be OK now.




I would recommend to remove the term ’ SonarQube’ from the plugin title, could not find it at first try.