Support for Dockerfiles

There is a linter called Hadolint (https://hub.docker.com/r/hadolint/hadolint) that analyzes Dockerfiles.
Docker is widely used so I think it would be nice if SonarQube could add support for similar checks that Hadolint does.

Hi Alix,

Thanks for the suggestion. This on our radar for this year. Since an analyzer exists already, perhaps you could craft it into a SonarQube plugin for the benefit of the whole community?

 
:smiley:
Ann

Hi,

At my company, we have started developing a hadolint plugin, and it works.
We have parsed the result of hadolint and created a new Language for Dockerfiles.
The only problem we have is that we haven’t found a way of telling SonarQube to consider Dockerfile as a suffix, so it’s not detected as a recognized language.
As a workaround for our tests, we renamed Dockerfile to Dockerfile.docker and put .docker as the suffix for the language. But it’s not ideal.

@ganncamp it seems that SonarQube is only able to handle files with an actual extension. Do you have a way of bypassing this limitation?

As soon as we have solved this problem, we’ll open-source the plugin!

Thanks,

Sylvain

1 Like

Hi Sylvain,

The COBOL analyzer does that, but it’s not open source, so you can’t just dig in and figure out how.

The docs say this about it:

Analyzing without file suffixes

Note that it is possible to analyze a COBOL project without file suffixes. To do this, remove the two suffix-related properties from your configuration and substitute the following setting for sonar.lang.patterns.cobol :

sonar.lang.patterns.cobol=**/*

So… maybe just try that? My alternate suggestion would be to start a new thread specifically for that question in the Plugin Development category.

 
Ann

Awesome, we successfully used this property!
Let us add some tests, a documentation, and we’ll open-source!

Thanks!

Sylvain

4 Likes

Is there any update on plugin for scanning Dockerfile with sonarqube?

It will be very usefull.

Regards
Neelesh