[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1189":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":16,"stars7d":16,"stars30d":17,"stars90d":16,"forks30d":16,"starsTrendScore":16,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":19,"archived":20,"fork":20,"defaultBranch":21,"hasWiki":22,"hasPages":22,"topics":23,"createdAt":10,"pushedAt":10,"updatedAt":24,"readmeContent":25,"aiSummary":26,"trendingCount":16,"starSnapshotCount":16,"syncStatus":27,"lastSyncTime":28,"discoverSource":29},1189,"dockerfile-roast","immanuwell\u002Fdockerfile-roast","immanuwell","droast - a dockerfile linter that actually has opinions 🔥","https:\u002F\u002Fewry.net\u002Fdroast-dockerfile-linter\u002F",null,"Rust",317,8,1,6,0,7,2.86,"MIT License",false,"main",true,[],"2026-06-12 02:00:24","![](media\u002Fdockerfile-image.png)\n\n![](media\u002Fscreenshot-1.png)\n\n![](media\u002Fscreenshot-2.png)\n\n![](media\u002Fscreenshot-3.png)\n\n# droast\n\na dockerfile linter that actually has opinions. it catches bad practices and tells you about them in the least diplomatic way possible.\n\nthink of it as code review from a senior dev who's seen too many prod incidents and has stopped being polite about it.\n\n## vs code extension\n\ninstall from the marketplace and get inline squiggles as you type:\n\n![VS Code](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FVSCode-007ACC?logo=visualstudiocode&logoColor=white&style=flat)\n\n**[droast — Dockerfile Linter](https:\u002F\u002Fmarketplace.visualstudio.com\u002Fitems?itemName=ImmanuelTikhonov.droast)**\n\n```bash\ncode --install-extension ImmanuelTikhonov.droast\n```\n\nthe binary is bundled — no separate install needed. findings appear in real time with roast messages on hover.\n\n## install\n\n**one-liner** (macOS and Linux, detects Homebrew automatically):\n\n```bash\ncurl -fsL ewry.net\u002Fdroast\u002Finstall.sh | sh\n```\n\n**Homebrew** (macOS and Linux):\n\n```bash\nbrew tap immanuwell\u002Fdroast https:\u002F\u002Fgithub.com\u002Fimmanuwell\u002Fhomebrew-droast.git\nbrew install immanuwell\u002Fdroast\u002Fdroast\n```\n\n**from source:**\n\n```bash\ncargo install dockerfile-roast\n```\n\nor grab a prebuilt binary from the releases page if you'd rather not wait for the rust compiler to do its thing.\n\n## usage\n\n```bash\n# the basics\ndroast Dockerfile\n\n# lint an entire project\ndroast **\u002FDockerfile\n\n# boring mode (no roasts, just facts)\ndroast --no-roast Dockerfile\n\n# only care about real problems\ndroast --min-severity warning Dockerfile\n\n# disagree with a rule? valid, we respect it\ndroast --skip DF001,DF012 Dockerfile\n\n# ci-friendly output\ndroast --format github Dockerfile    # github actions annotations\ndroast --format json Dockerfile      # machine-readable\ndroast --format compact Dockerfile   # one line per finding\ndroast --format sarif Dockerfile     # SARIF 2.1.0 for GitHub Advanced Security \u002F IDEs\n```\n\n## configuration\n\ndroast works out of the box with zero configuration. for teams that want to commit project-level defaults, drop a `droast.toml` in the repo root:\n\n```toml\n# droast.toml — all fields optional\nskip        = [\"DF012\", \"DF022\"]  # rules to suppress project-wide\nmin-severity = \"warning\"          # hide info-level findings\nno-roast    = false               # true = technical output only\nno-fail     = false               # true = never block CI\nformat      = \"terminal\"          # terminal | json | github | compact\n```\n\ndroast searches for `droast.toml` starting from the current directory, walking up to the nearest `.git` root. CLI flags always take precedence over the file — the file just sets the defaults so you don't repeat yourself.\n\n`skip` is the most useful field for CI pipelines: add rules your team has consciously accepted (e.g. you ship without HEALTHCHECK by design) so developers don't drown in noise they can't act on.\n\n## github action\n\nadd droast to any repo in 5 lines:\n\n```yaml\n- uses: immanuwell\u002Fdockerfile-roast@1.3.0\n```\n\nfull example (`.github\u002Fworkflows\u002Flint.yml`):\n\n```yaml\nname: Lint Dockerfiles\n\non: [push, pull_request]\n\njobs:\n  droast:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions\u002Fcheckout@v4\n      - uses: immanuwell\u002Fdockerfile-roast@1.3.0\n```\n\nfindings show up as inline annotations on the PR diff. no configuration required.\n\navailable inputs (all optional):\n\n| input | default | description |\n|-------|---------|-------------|\n| `files` | `Dockerfile` | file(s) or glob to lint |\n| `min-severity` | `info` | `info`, `warning`, or `error` |\n| `skip` | — | comma-separated rule IDs to ignore |\n| `no-roast` | `false` | technical output only, no jokes |\n| `no-fail` | `false` | advisory mode — never blocks the build |\n| `image-tag` | `latest` | pin to a specific droast release, e.g. `1.3.0` |\n\nexample with options:\n\n```yaml\n- uses: immanuwell\u002Fdockerfile-roast@1.3.0\n  with:\n    files: '**\u002FDockerfile'\n    min-severity: warning\n    skip: DF012,DF022\n    no-fail: true        # report findings but don't block the PR\n```\n\n## docker\n\npull from ghcr and use immediately, no install needed:\n\n```bash\n# lint a Dockerfile in the current directory\ndocker run --rm -v \"$(pwd)\u002FDockerfile\":\u002FDockerfile ghcr.io\u002Fimmanuwell\u002Fdroast \u002FDockerfile\n\n# lint any file, anywhere\ndocker run --rm -v \u002Fpath\u002Fto\u002Fyour\u002FDockerfile:\u002FDockerfile ghcr.io\u002Fimmanuwell\u002Fdroast \u002FDockerfile\n\n# pass flags as usual\ndocker run --rm -v \"$(pwd)\u002FDockerfile\":\u002FDockerfile ghcr.io\u002Fimmanuwell\u002Fdroast \\\n    --no-roast --min-severity warning \u002FDockerfile\n```\n\nor build locally from source:\n\n```bash\ndocker build -t droast .\ndocker run --rm -v \"$(pwd)\u002FDockerfile\":\u002FDockerfile droast \u002FDockerfile\n```\n\nthe image is published automatically to `ghcr.io\u002Fimmanuwell\u002Fdroast` on every release tag.\n\n## shell completions\n\nadd this once, never mistype `--min-severity` again:\n\n```bash\n# bash — add to .bashrc\nsource \u003C(droast completion bash)\n\n# zsh — add to .zshrc\ndroast completion zsh > ~\u002F.zfunc\u002F_droast\n\n# fish — add to config.fish\ndroast completion fish | source\n```\n\n## what it catches\n\n63 rules, ngl thats a lot. run `droast --list-rules` for the full breakdown.\n\n\u003C!-- BEGIN RULES -->\n\u003Cdetails>\n\u003Csummary>all 63 rules\u003C\u002Fsummary>\n\n```\n  Available Rules\n\n  ID       DESCRIPTION\n  ──────────────────────────────────────────────────────────────────────\n  DF001    Use specific base image tags instead of 'latest'\n  DF002    Do not run as root\n  DF011    Use multi-stage builds to reduce image size\n  DF013    Avoid storing secrets in ENV variables\n  DF014    Avoid hardcoding passwords or tokens in ARG\u002FENV\n  DF020    Set explicit non-root USER\n  DF003    Combine RUN commands to reduce layers\n  DF004    Clean apt\u002Fyum\u002Fapk cache in the same RUN layer\n  DF005    Pin package versions for reproducibility\n  DF006    Avoid ADD for local files; prefer COPY\n  DF007    Do not copy the entire build context (COPY . .)\n  DF008    Use WORKDIR instead of inline cd commands\n  DF009    Use absolute paths in WORKDIR\n  DF010    Avoid using sudo inside containers\n  DF012    Set HEALTHCHECK for long-running services\n  DF017    Use ENTRYPOINT with CMD for flexible images\n  DF018    Avoid using shell form for ENTRYPOINT\n  DF019    Do not use deprecated MAINTAINER; use LABEL instead\n  DF022    Specify EXPOSE for documented ports\n  DF023    Avoid multiple FROM without aliases (unintended multistage)\n  DF024    Avoid using :latest in FROM even with aliases\n  DF025    Use JSON array syntax for CMD\u002FENTRYPOINT\n  DF026    Avoid recursive COPY from root\n  DF030    Avoid using pip without --no-cache-dir\n  DF031    Avoid npm install without ci\u002F--production for prod images\n  DF032    Set PYTHONDONTWRITEBYTECODE and PYTHONUNBUFFERED for Python images\n  DF033    Use .dockerignore to exclude unnecessary files\n  DF034    Avoid chmod 777 — overly permissive\n  DF035    Avoid using curl without --fail flags\n  DF036    Avoid Dockerfile with no CMD or ENTRYPOINT\n  DF015    Avoid using apt-get without -y flag\n  DF016    Use --no-install-recommends with apt-get\n  DF021    Avoid wget|sh pipe patterns (execute remote code)\n  DF027    Do not use yum without -y flag\n  DF028    Cache-bust apt-get update\n  DF029    Avoid apk add without --no-cache\n  DF037    Dockerfile must begin with FROM, ARG, or a comment\n  DF038    Multiple CMD instructions — only the last one takes effect\n  DF039    Multiple ENTRYPOINT instructions — only the last one takes effect\n  DF040    EXPOSE port must be in valid range 0-65535\n  DF041    Multiple HEALTHCHECK instructions — only the last one applies\n  DF042    FROM stage aliases must be unique\n  DF043    zypper install without non-interactive flag\n  DF044    Avoid zypper dist-upgrade in Dockerfiles\n  DF045    Run zypper clean after zypper install\n  DF046    Run dnf clean all after dnf install\n  DF047    Run yum clean all after yum install\n  DF048    COPY with multiple sources requires destination to end with \u002F\n  DF049    COPY --from must reference a previously defined stage\n  DF050    COPY --from cannot reference the current stage\n  DF051    Pin versions in pip install\n  DF052    Pin versions in apk add\n  DF053    Pin versions in gem install\n  DF054    Pin versions in go install with @version\n  DF055    Run yarn cache clean after yarn install\n  DF056    Use wget --progress=dot:giga to avoid bloated build logs\n  DF057    Set -o pipefail before RUN commands that use pipes\n  DF058    Use either wget or curl consistently, not both\n  DF059    Use apt-get or apt-cache instead of apt in scripts\n  DF060    Avoid running pointless interactive commands inside containers\n  DF061    Do not use --platform in FROM unless required\n  DF062    ENV variable must not reference itself in the same statement\n  DF063    COPY to relative destination requires WORKDIR to be set first\n  DF064    useradd without -l flag may create excessively large images\n\n  Use --skip DF001,DF002 to suppress specific rules.\n  Use --min-severity warning to hide INFO findings.\n```\n\n\u003C\u002Fdetails>\n\u003C!-- END RULES -->\n\nthe greatest hits:\n\n| rule | crime |\n|------|-------|\n| DF001 | `FROM ubuntu:latest` — pick an actual tag |\n| DF002 | running explicitly as root |\n| DF004 | apt cache left in the image (you made a trash can) |\n| DF011 | shipping the entire build toolchain to prod |\n| DF013 | secrets in ENV vars (in your layers. forever. congrats) |\n| DF021 | `curl \\| sh` — no. |\n| DF028 | split `apt-get update` + install in separate RUN layers |\n| DF034 | `chmod 777` somewhere in there |\n| DF037 | instruction before FROM (invalid Dockerfile) |\n| DF039 | multiple ENTRYPOINT instructions |\n| DF046 | dnf install without cache cleanup |\n| DF051 | pip install without version pins |\n| DF057 | pipe in RUN without `set -o pipefail` |\n| DF059 | `apt` used instead of `apt-get` in scripts |\n| DF063 | COPY to relative path with no WORKDIR set |\n\nrule categories: base images · security · package managers · layer hygiene · instruction quality · service quality · python\u002Fnode specifics\n\n## exit codes\n\n`0` = clean (or `--no-fail`), `1` = errors found.\n\n`--no-fail` is useful for advisory CI runs where you want the output but dont want to block the build yet.\n\n## license\n\nMIT. do whatever.\n","droast 是一个具有鲜明观点的 Dockerfile 代码检查工具，旨在识别不良实践并通过直白的方式指出问题。它使用 Rust 语言开发，提供了一种类似资深开发者严格审查代码的体验。该工具支持 VS Code 插件形式安装，能够实时显示内联错误提示与建议；同时提供了多种安装方式包括 Homebrew 和从源码构建等。适合于需要提高 Dockerfile 质量、减少潜在生产环境事故风险的场景下使用，特别是对于希望在持续集成流程中自动检测 Docker 配置文件质量的团队来说非常有用。此外，droast 支持通过配置文件自定义规则和输出格式，增强了灵活性和实用性。",2,"2026-06-11 02:42:12","CREATED_QUERY"]