Static analysis is great here — it’s definitely a constrained domain where it could shine w/o many of the issues that defined it a decade ago.
I bet you could take this a lot further by incorporating a runtime component as well. I mean it’s a container — it’s meant to be incrementally built up and destroyed.
By looking at the state of the container before and after a line you could do so much.
i.e. This innocent looking apt-get install has the side effect of making X directory writable.
This is smart, would love if it got smart enough to analyze .dockerignore files, and (if you're analyzing our code with the rest of your tool anyway) you could find large files/directories that we COPY/ADD and don't need
I bet you could take this a lot further by incorporating a runtime component as well. I mean it’s a container — it’s meant to be incrementally built up and destroyed.
By looking at the state of the container before and after a line you could do so much.
i.e. This innocent looking apt-get install has the side effect of making X directory writable.