@infograb/docker-slim-advisor 0.1.0

package/build/multi-stage-detector.js

@@ -0,0 +1,29 @@
+/**
+ * Multi-stage build detection - counts FROM instructions to determine
+ * if a Dockerfile uses multi-stage builds. Multi-stage Dockerfiles
+ * (2+ FROM instructions) are flagged as "already optimized" since
+ * multi-stage is itself a key size optimization technique.
+ */
+/**
+ * Detect multi-stage builds by counting FROM instructions in the parsed AST.
+ * A Dockerfile with 2+ FROM instructions is considered multi-stage and
+ * "already optimized" for image size via build stages.
+ */
+export function detectMultiStage(instructions) {
+    const fromInstructions = instructions.filter((i) => i.type === 'FROM');
+    const stageCount = fromInstructions.length;
+    const isMultiStage = stageCount >= 2;
+    const stages = fromInstructions.map((f) => ({
+        image: f.image,
+        tag: f.tag,
+        alias: f.alias,
+        line: f.line,
+    }));
+    const message = isMultiStage
+        ? `Multi-stage build detected (${stageCount} stages) — already optimized for image size.`
+        : stageCount === 1
+            ? 'Single-stage build detected.'
+            : 'No FROM instruction found.';
+    return { isMultiStage, stageCount, stages, message };
+}
+//# sourceMappingURL=multi-stage-detector.js.map

package/build/multi-stage-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"multi-stage-detector.js","sourceRoot":"","sources":["../src/multi-stage-detector.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgBH;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,YAA2B;IAC1D,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAwB,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAC/C,CAAC;IAEF,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC;IAC3C,MAAM,YAAY,GAAG,UAAU,IAAI,CAAC,CAAC;IAErC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1C,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,GAAG,EAAE,CAAC,CAAC,GAAG;QACV,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,IAAI,EAAE,CAAC,CAAC,IAAI;KACb,CAAC,CAAC,CAAC;IAEJ,MAAM,OAAO,GAAG,YAAY;QAC1B,CAAC,CAAC,+BAA+B,UAAU,8CAA8C;QACzF,CAAC,CAAC,UAAU,KAAK,CAAC;YAChB,CAAC,CAAC,8BAA8B;YAChC,CAAC,CAAC,4BAA4B,CAAC;IAEnC,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACvD,CAAC"}

package/build/output.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Centralized output routing for stderr/stdout separation.
+ *
+ * Rules:
+ * - Structured output (analysis results) -> stdout only
+ * - Errors, warnings, diagnostics -> stderr only
+ * - Never mix: piping stdout to jq/file must produce clean parseable output
+ *
+ * This module wraps process.stdout/stderr so the rest of the codebase
+ * never calls console.log/console.error directly.
+ */
+/** Writable stream interface for testability (avoids coupling to process) */
+export interface OutputStreams {
+    stdout: {
+        write(data: string): boolean;
+    };
+    stderr: {
+        write(data: string): boolean;
+    };
+}
+/**
+ * Override output streams (for testing).
+ * Returns a restore function to reset to defaults.
+ */
+export declare function setStreams(streams: OutputStreams): () => void;
+/**
+ * Write structured analysis output to stdout.
+ * This is the ONLY function that should write to stdout.
+ * Used by formatters for terminal, JSON, and markdown output.
+ */
+export declare function writeOutput(data: string): void;
+/**
+ * Write an error message to stderr.
+ * Used for fatal errors that cause exit code 2.
+ */
+export declare function writeError(message: string): void;
+/**
+ * Write a warning/diagnostic to stderr.
+ * Used for non-fatal issues (e.g. skipped unparseable lines).
+ */
+export declare function writeWarning(message: string): void;
+/**
+ * Write a debug/diagnostic message to stderr.
+ * Used for verbose diagnostics when --verbose is enabled.
+ */
+export declare function writeDiagnostic(message: string): void;

package/build/output.js

@@ -0,0 +1,62 @@
+/**
+ * Centralized output routing for stderr/stdout separation.
+ *
+ * Rules:
+ * - Structured output (analysis results) -> stdout only
+ * - Errors, warnings, diagnostics -> stderr only
+ * - Never mix: piping stdout to jq/file must produce clean parseable output
+ *
+ * This module wraps process.stdout/stderr so the rest of the codebase
+ * never calls console.log/console.error directly.
+ */
+/** Default streams pointing to the real process */
+const defaultStreams = {
+    stdout: process.stdout,
+    stderr: process.stderr,
+};
+/** Active streams — overridable for testing */
+let activeStreams = defaultStreams;
+/**
+ * Override output streams (for testing).
+ * Returns a restore function to reset to defaults.
+ */
+export function setStreams(streams) {
+    activeStreams = streams;
+    return () => {
+        activeStreams = defaultStreams;
+    };
+}
+/**
+ * Write structured analysis output to stdout.
+ * This is the ONLY function that should write to stdout.
+ * Used by formatters for terminal, JSON, and markdown output.
+ */
+export function writeOutput(data) {
+    activeStreams.stdout.write(data);
+    // Ensure trailing newline for clean piping
+    if (!data.endsWith('\n')) {
+        activeStreams.stdout.write('\n');
+    }
+}
+/**
+ * Write an error message to stderr.
+ * Used for fatal errors that cause exit code 2.
+ */
+export function writeError(message) {
+    activeStreams.stderr.write(`error: ${message}\n`);
+}
+/**
+ * Write a warning/diagnostic to stderr.
+ * Used for non-fatal issues (e.g. skipped unparseable lines).
+ */
+export function writeWarning(message) {
+    activeStreams.stderr.write(`warning: ${message}\n`);
+}
+/**
+ * Write a debug/diagnostic message to stderr.
+ * Used for verbose diagnostics when --verbose is enabled.
+ */
+export function writeDiagnostic(message) {
+    activeStreams.stderr.write(`${message}\n`);
+}
+//# sourceMappingURL=output.js.map

package/build/output.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output.js","sourceRoot":"","sources":["../src/output.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAQH,mDAAmD;AACnD,MAAM,cAAc,GAAkB;IACpC,MAAM,EAAE,OAAO,CAAC,MAAM;IACtB,MAAM,EAAE,OAAO,CAAC,MAAM;CACvB,CAAC;AAEF,+CAA+C;AAC/C,IAAI,aAAa,GAAkB,cAAc,CAAC;AAElD;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,OAAsB;IAC/C,aAAa,GAAG,OAAO,CAAC;IACxB,OAAO,GAAG,EAAE;QACV,aAAa,GAAG,cAAc,CAAC;IACjC,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,2CAA2C;IAC3C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,OAAe;IACxC,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,OAAO,IAAI,CAAC,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,OAAO,IAAI,CAAC,CAAC;AACtD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,aAAa,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,IAAI,CAAC,CAAC;AAC7C,CAAC"}

package/build/parser.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Dockerfile parser - converts raw Dockerfile text into typed Instruction AST.
+ * Handles multi-line RUN with backslash continuations, comments, and empty lines.
+ */
+import type { Instruction } from './types.js';
+/** Parse raw Dockerfile content into typed Instruction AST */
+export declare function parseDockerfile(content: string): Instruction[];

package/build/parser.js

@@ -0,0 +1,123 @@
+/**
+ * Dockerfile parser - converts raw Dockerfile text into typed Instruction AST.
+ * Handles multi-line RUN with backslash continuations, comments, and empty lines.
+ */
+/** Join lines that end with backslash continuation */
+function joinContinuationLines(lines) {
+    const result = [];
+    let current = '';
+    let startLine = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const trimmed = lines[i].trimEnd();
+        if (current === '') {
+            startLine = i + 1; // 1-indexed line numbers
+        }
+        if (trimmed.endsWith('\\')) {
+            current += (current ? ' ' : '') + trimmed.slice(0, -1).trim();
+        }
+        else {
+            current += (current ? ' ' : '') + trimmed.trim();
+            if (current.trim()) {
+                result.push({ text: current.trim(), line: startLine });
+            }
+            current = '';
+        }
+    }
+    if (current.trim()) {
+        result.push({ text: current.trim(), line: startLine });
+    }
+    return result;
+}
+/** Parse a FROM instruction */
+function parseFrom(text, line) {
+    const stripped = text.replace(/^FROM\s+/i, '').replace(/--platform=\S+\s+/i, '');
+    const asMatch = stripped.match(/^(.+?)\s+[Aa][Ss]\s+(\S+)$/);
+    const imageStr = asMatch ? asMatch[1].trim() : stripped.trim();
+    const alias = asMatch ? asMatch[2] : undefined;
+    const [image, tag = 'latest'] = imageStr.split(':');
+    return { type: 'FROM', line, raw: text, image, tag, alias };
+}
+/** Parse a RUN instruction */
+function parseRun(text, line, isMultiLine) {
+    const command = text.replace(/^RUN\s+/i, '');
+    return { type: 'RUN', line, raw: text, command, isMultiLine };
+}
+/** Parse a COPY instruction */
+function parseCopy(text, line) {
+    const args = text.replace(/^COPY\s+/i, '');
+    const fromMatch = args.match(/--from=(\S+)\s+/);
+    const rest = args.replace(/--from=\S+\s+/, '').trim();
+    const parts = rest.split(/\s+/);
+    const destination = parts.pop() || '';
+    const source = parts.join(' ');
+    return {
+        type: 'COPY', line, raw: text, source, destination,
+        ...(fromMatch ? { from: fromMatch[1] } : {}),
+    };
+}
+/** Parse an ADD instruction */
+function parseAdd(text, line) {
+    const args = text.replace(/^ADD\s+/i, '').trim();
+    const parts = args.split(/\s+/);
+    const destination = parts.pop() || '';
+    const source = parts.join(' ');
+    return { type: 'ADD', line, raw: text, source, destination };
+}
+/** Parse an ENV instruction */
+function parseEnv(text, line) {
+    const args = text.replace(/^ENV\s+/i, '');
+    const eqMatch = args.match(/^(\S+?)=(.*)$/);
+    if (eqMatch) {
+        return { type: 'ENV', line, raw: text, key: eqMatch[1], value: eqMatch[2].trim() };
+    }
+    const parts = args.split(/\s+/, 2);
+    return { type: 'ENV', line, raw: text, key: parts[0], value: parts[1] || '' };
+}
+const INSTRUCTION_KEYWORDS = [
+    'FROM', 'RUN', 'COPY', 'ADD', 'ENV', 'EXPOSE', 'WORKDIR',
+    'CMD', 'ENTRYPOINT', 'LABEL', 'ARG', 'VOLUME', 'USER',
+    'HEALTHCHECK', 'SHELL', 'STOPSIGNAL', 'ONBUILD',
+];
+/** Parse raw Dockerfile content into typed Instruction AST */
+export function parseDockerfile(content) {
+    const rawLines = content.split('\n');
+    const joined = joinContinuationLines(rawLines);
+    const instructions = [];
+    for (const { text, line } of joined) {
+        if (text.startsWith('#') || text === '')
+            continue;
+        const upperText = text.toUpperCase();
+        const keyword = INSTRUCTION_KEYWORDS.find(k => upperText.startsWith(k + ' ') || upperText === k);
+        if (!keyword)
+            continue; // Gracefully skip unparseable lines
+        switch (keyword) {
+            case 'FROM':
+                instructions.push(parseFrom(text, line));
+                break;
+            case 'RUN': {
+                const originalLine = rawLines[line - 1] || '';
+                const isMultiLine = originalLine.trimEnd().endsWith('\\');
+                instructions.push(parseRun(text, line, isMultiLine));
+                break;
+            }
+            case 'COPY':
+                instructions.push(parseCopy(text, line));
+                break;
+            case 'ADD':
+                instructions.push(parseAdd(text, line));
+                break;
+            case 'ENV':
+                instructions.push(parseEnv(text, line));
+                break;
+            default:
+                instructions.push({
+                    type: keyword,
+                    line,
+                    raw: text,
+                    arguments: text.replace(new RegExp(`^${keyword}\\s*`, 'i'), ''),
+                });
+        }
+    }
+    return instructions;
+}
+//# sourceMappingURL=parser.js.map

package/build/parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.js","sourceRoot":"","sources":["../src/parser.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAaH,sDAAsD;AACtD,SAAS,qBAAqB,CAAC,KAAe;IAC5C,MAAM,MAAM,GAA0C,EAAE,CAAC;IACzD,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAEnC,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YACnB,SAAS,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,yBAAyB;QAC9C,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;YACjD,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;gBACnB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;YACzD,CAAC;YACD,OAAO,GAAG,EAAE,CAAC;QACf,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,+BAA+B;AAC/B,SAAS,SAAS,CAAC,IAAY,EAAE,IAAY;IAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC;IACjF,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE/C,MAAM,CAAC,KAAK,EAAE,GAAG,GAAG,QAAQ,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEpD,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AAC9D,CAAC;AAED,8BAA8B;AAC9B,SAAS,QAAQ,CAAC,IAAY,EAAE,IAAY,EAAE,WAAoB;IAChE,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC7C,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;AAChE,CAAC;AAED,+BAA+B;AAC/B,SAAS,SAAS,CAAC,IAAY,EAAE,IAAY;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC3C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACtD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,WAAW,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAE/B,OAAO;QACL,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW;QAClD,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC;AACJ,CAAC;AAED,+BAA+B;AAC/B,SAAS,QAAQ,CAAC,IAAY,EAAE,IAAY;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,WAAW,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;AAC/D,CAAC;AAED,+BAA+B;AAC/B,SAAS,QAAQ,CAAC,IAAY,EAAE,IAAY;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC5C,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACrF,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACnC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;AAChF,CAAC;AAED,MAAM,oBAAoB,GAAsB;IAC9C,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS;IACxD,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM;IACrD,aAAa,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS;CAChD,CAAC;AAEF,8DAA8D;AAC9D,MAAM,UAAU,eAAe,CAAC,OAAe;IAC7C,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,qBAAqB,CAAC,QAAQ,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAkB,EAAE,CAAC;IAEvC,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,MAAM,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,KAAK,EAAE;YAAE,SAAS;QAElD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,oBAAoB,CAAC,IAAI,CACvC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,IAAI,SAAS,KAAK,CAAC,CACtD,CAAC;QAEF,IAAI,CAAC,OAAO;YAAE,SAAS,CAAC,oCAAoC;QAE5D,QAAQ,OAAO,EAAE,CAAC;YAChB,KAAK,MAAM;gBACT,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;gBACzC,MAAM;YACR,KAAK,KAAK,CAAC,CAAC,CAAC;gBACX,MAAM,YAAY,GAAG,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC9C,MAAM,WAAW,GAAG,YAAY,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAC1D,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC;gBACrD,MAAM;YACR,CAAC;YACD,KAAK,MAAM;gBACT,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;gBACzC,MAAM;YACR,KAAK,KAAK;gBACR,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;gBACxC,MAAM;YACR,KAAK,KAAK;gBACR,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;gBACxC,MAAM;YACR;gBACE,YAAY,CAAC,IAAI,CAAC;oBAChB,IAAI,EAAE,OAAO;oBACb,IAAI;oBACJ,GAAG,EAAE,IAAI;oBACT,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,IAAI,OAAO,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC;iBAC1C,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC"}

package/build/rules/alpine-swap.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Alpine/Slim Base Image Swap Rule
+ *
+ * Detects non-optimized base images (e.g., node:20, python:3.12) and suggests
+ * lighter alternatives (slim or alpine variants) with estimated size savings.
+ *
+ * Severity: HIGH when savings > 50%, MEDIUM when savings > 20%, LOW otherwise.
+ */
+import type { Rule } from '../types.js';
+export declare const alpineSwapRule: Rule;

package/build/rules/alpine-swap.js

@@ -0,0 +1,81 @@
+/**
+ * Alpine/Slim Base Image Swap Rule
+ *
+ * Detects non-optimized base images (e.g., node:20, python:3.12) and suggests
+ * lighter alternatives (slim or alpine variants) with estimated size savings.
+ *
+ * Severity: HIGH when savings > 50%, MEDIUM when savings > 20%, LOW otherwise.
+ */
+import { getSlimAlternative } from '../data/base-image-db.js';
+/** Check if an image tag already indicates a slim/alpine/distroless variant */
+function isAlreadyOptimized(image, tag) {
+    const lowerTag = tag.toLowerCase();
+    const lowerImage = image.toLowerCase();
+    // Alpine or slim tags
+    if (lowerTag.includes('alpine') || lowerTag.includes('slim'))
+        return true;
+    // Distroless images
+    if (lowerImage.includes('distroless'))
+        return true;
+    // Scratch / busybox are minimal
+    if (lowerImage === 'scratch' || lowerImage === 'busybox')
+        return true;
+    return false;
+}
+/** Calculate severity based on size reduction percentage */
+function getSeverity(savingsPercent) {
+    if (savingsPercent >= 50)
+        return 'HIGH';
+    if (savingsPercent >= 20)
+        return 'MEDIUM';
+    return 'LOW';
+}
+/** Format bytes to human-readable string */
+function formatBytes(bytes) {
+    if (bytes >= 1_000_000_000)
+        return `${(bytes / 1_000_000_000).toFixed(1)}GB`;
+    if (bytes >= 1_000_000)
+        return `${(bytes / 1_000_000).toFixed(0)}MB`;
+    if (bytes >= 1_000)
+        return `${(bytes / 1_000).toFixed(0)}KB`;
+    return `${bytes}B`;
+}
+export const alpineSwapRule = {
+    id: 'DSA001',
+    name: 'alpine-slim-swap',
+    description: 'Suggests lighter base image alternatives (alpine/slim) to reduce image size',
+    evaluate(instructions, context) {
+        const recommendations = [];
+        // Find all FROM instructions (for single-stage, there should be exactly one)
+        const fromInstructions = instructions.filter((i) => i.type === 'FROM');
+        for (const from of fromInstructions) {
+            // Skip if already using an optimized variant
+            if (isAlreadyOptimized(from.image, from.tag))
+                continue;
+            // Look up current image size
+            const currentSize = context.getImageSize(from.image, from.tag);
+            if (currentSize === undefined)
+                continue; // Unknown image, skip
+            // Find a lighter alternative
+            const alt = getSlimAlternative(from.image, from.tag);
+            if (!alt)
+                continue;
+            const savingsBytes = currentSize - alt.alternativeSizeBytes;
+            if (savingsBytes <= 0)
+                continue;
+            const savingsPercent = (savingsBytes / currentSize) * 100;
+            const severity = getSeverity(savingsPercent);
+            recommendations.push({
+                ruleId: 'DSA001',
+                severity,
+                line: from.line,
+                title: `Use ${alt.alternative} instead of ${from.image}:${from.tag}`,
+                description: `Switching from ${from.image}:${from.tag} (${formatBytes(currentSize)}) to ${alt.alternative} (${formatBytes(alt.alternativeSizeBytes)}) saves ~${formatBytes(savingsBytes)} (${savingsPercent.toFixed(0)}% reduction).`,
+                fix: `FROM ${alt.alternative}`,
+                estimatedSavingsBytes: savingsBytes,
+            });
+        }
+        return recommendations;
+    },
+};
+//# sourceMappingURL=alpine-swap.js.map

package/build/rules/alpine-swap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"alpine-swap.js","sourceRoot":"","sources":["../../src/rules/alpine-swap.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAE9D,+EAA+E;AAC/E,SAAS,kBAAkB,CAAC,KAAa,EAAE,GAAW;IACpD,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IAEvC,sBAAsB;IACtB,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1E,oBAAoB;IACpB,IAAI,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnD,gCAAgC;IAChC,IAAI,UAAU,KAAK,SAAS,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEtE,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4DAA4D;AAC5D,SAAS,WAAW,CAAC,cAAsB;IACzC,IAAI,cAAc,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IACxC,IAAI,cAAc,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IAC1C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4CAA4C;AAC5C,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,IAAI,aAAa;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,aAAa,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7E,IAAI,KAAK,IAAI,SAAS;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IACrE,IAAI,KAAK,IAAI,KAAK;QAAE,OAAO,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7D,OAAO,GAAG,KAAK,GAAG,CAAC;AACrB,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAS;IAClC,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,kBAAkB;IACxB,WAAW,EAAE,6EAA6E;IAE1F,QAAQ,CAAC,YAA2B,EAAE,OAAoB;QACxD,MAAM,eAAe,GAAqB,EAAE,CAAC;QAE7C,6EAA6E;QAC7E,MAAM,gBAAgB,GAAG,YAAY,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAwB,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAC/C,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,gBAAgB,EAAE,CAAC;YACpC,6CAA6C;YAC7C,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEvD,6BAA6B;YAC7B,MAAM,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/D,IAAI,WAAW,KAAK,SAAS;gBAAE,SAAS,CAAC,sBAAsB;YAE/D,6BAA6B;YAC7B,MAAM,GAAG,GAAG,kBAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;YACrD,IAAI,CAAC,GAAG;gBAAE,SAAS;YAEnB,MAAM,YAAY,GAAG,WAAW,GAAG,GAAG,CAAC,oBAAoB,CAAC;YAC5D,IAAI,YAAY,IAAI,CAAC;gBAAE,SAAS;YAEhC,MAAM,cAAc,GAAG,CAAC,YAAY,GAAG,WAAW,CAAC,GAAG,GAAG,CAAC;YAC1D,MAAM,QAAQ,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;YAE7C,eAAe,CAAC,IAAI,CAAC;gBACnB,MAAM,EAAE,QAAQ;gBAChB,QAAQ;gBACR,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK,EAAE,OAAO,GAAG,CAAC,WAAW,eAAe,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE;gBACpE,WAAW,EAAE,kBAAkB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,KAAK,WAAW,CAAC,WAAW,CAAC,QAAQ,GAAG,CAAC,WAAW,KAAK,WAAW,CAAC,GAAG,CAAC,oBAAoB,CAAC,YAAY,WAAW,CAAC,YAAY,CAAC,KAAK,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;gBACrO,GAAG,EAAE,QAAQ,GAAG,CAAC,WAAW,EAAE;gBAC9B,qBAAqB,EAAE,YAAY;aACpC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF,CAAC"}

package/build/rules/dockerignore-missing.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Dockerignore Detection Rule (DSA004)
+ *
+ * Checks for missing or incomplete .dockerignore file when COPY/ADD
+ * instructions use broad source patterns (e.g., "." or "*").
+ *
+ * Without a proper .dockerignore, COPY . or ADD . will include
+ * node_modules, .git, build artifacts, and other unnecessary files,
+ * bloating the image by 50-500MB+.
+ *
+ * Severity: HIGH — .dockerignore is a fundamental Docker best practice.
+ * Estimated savings: ~100MB (conservative estimate for typical projects).
+ */
+import type { Rule } from '../types.js';
+/** Common entries that should be in .dockerignore */
+export declare const RECOMMENDED_ENTRIES: readonly ["node_modules", ".git", "dist", "build", ".env", ".env.*", "*.log", ".DS_Store", "coverage", ".vscode", ".idea", "tmp", "*.md", "docker-compose*.yml", "Dockerfile", ".dockerignore", ".github", "__tests__", "tests", ".nyc_output"];
+/** Find which recommended entries are missing from the .dockerignore content */
+export declare function findMissingEntries(dockerignoreContent: string): string[];
+export declare const dockerignoreMissingRule: Rule;

package/build/rules/dockerignore-missing.js

@@ -0,0 +1,107 @@
+/**
+ * Dockerignore Detection Rule (DSA004)
+ *
+ * Checks for missing or incomplete .dockerignore file when COPY/ADD
+ * instructions use broad source patterns (e.g., "." or "*").
+ *
+ * Without a proper .dockerignore, COPY . or ADD . will include
+ * node_modules, .git, build artifacts, and other unnecessary files,
+ * bloating the image by 50-500MB+.
+ *
+ * Severity: HIGH — .dockerignore is a fundamental Docker best practice.
+ * Estimated savings: ~100MB (conservative estimate for typical projects).
+ */
+/** Conservative estimate for unnecessary files copied without .dockerignore (~100MB) */
+const MISSING_DOCKERIGNORE_BYTES = 100 * 1024 * 1024;
+/** Partial .dockerignore — some entries missing (~30MB) */
+const INCOMPLETE_DOCKERIGNORE_BYTES = 30 * 1024 * 1024;
+/** Common entries that should be in .dockerignore */
+export const RECOMMENDED_ENTRIES = [
+    'node_modules',
+    '.git',
+    'dist',
+    'build',
+    '.env',
+    '.env.*',
+    '*.log',
+    '.DS_Store',
+    'coverage',
+    '.vscode',
+    '.idea',
+    'tmp',
+    '*.md',
+    'docker-compose*.yml',
+    'Dockerfile',
+    '.dockerignore',
+    '.github',
+    '__tests__',
+    'tests',
+    '.nyc_output',
+];
+/** Broad source patterns that copy entire context */
+const BROAD_SOURCE_PATTERNS = ['.', './', '*', './*'];
+/** Check if a COPY/ADD source is a broad pattern that copies the entire build context */
+function isBroadCopySource(source) {
+    return BROAD_SOURCE_PATTERNS.includes(source.trim());
+}
+/** Find which recommended entries are missing from the .dockerignore content */
+export function findMissingEntries(dockerignoreContent) {
+    const lines = dockerignoreContent
+        .split('\n')
+        .map(l => l.trim())
+        .filter(l => l && !l.startsWith('#'));
+    return RECOMMENDED_ENTRIES.filter(entry => {
+        // Check if the entry or a glob covering it exists in dockerignore
+        return !lines.some(line => {
+            // Exact match
+            if (line === entry)
+                return true;
+            // Wildcard match: e.g., "*.log" covers "*.log"
+            if (line === entry)
+                return true;
+            // Directory with trailing slash: "node_modules/" covers "node_modules"
+            if (line === `${entry}/`)
+                return true;
+            // Entry with trailing slash matches line without
+            if (`${line}/` === entry || line === entry.replace(/\/$/, ''))
+                return true;
+            return false;
+        });
+    });
+}
+/** Build the suggested .dockerignore content from missing entries */
+function buildDockerignoreSuggestion(missingEntries) {
+    if (missingEntries.length === 0)
+        return '';
+    return `# Add these entries to .dockerignore:\n${missingEntries.join('\n')}`;
+}
+export const dockerignoreMissingRule = {
+    id: 'DSA004',
+    name: 'dockerignore-missing',
+    description: 'Detects missing or incomplete .dockerignore when broad COPY/ADD patterns are used',
+    evaluate(instructions, _context) {
+        const recommendations = [];
+        // Find COPY/ADD instructions with broad source patterns
+        const broadCopies = instructions.filter((i) => (i.type === 'COPY' || i.type === 'ADD') && isBroadCopySource(i.source));
+        if (broadCopies.length === 0)
+            return recommendations;
+        // Use the first broad COPY/ADD line for the recommendation
+        const firstBroadCopy = broadCopies[0];
+        // We can only do static analysis — we flag the pattern and suggest .dockerignore
+        // The rule always fires for broad copies since we cannot read the filesystem
+        recommendations.push({
+            ruleId: 'DSA004',
+            severity: 'HIGH',
+            line: firstBroadCopy.line,
+            title: 'Broad COPY/ADD without .dockerignore optimization',
+            description: `\`${firstBroadCopy.type} ${firstBroadCopy.source}\` copies the entire build context. ` +
+                'Without a comprehensive .dockerignore, this includes node_modules, .git, ' +
+                'build artifacts, and other files unnecessary in the image. ' +
+                'Create or update .dockerignore to exclude development and build files.',
+            fix: buildDockerignoreSuggestion([...RECOMMENDED_ENTRIES]),
+            estimatedSavingsBytes: MISSING_DOCKERIGNORE_BYTES,
+        });
+        return recommendations;
+    },
+};
+//# sourceMappingURL=dockerignore-missing.js.map

package/build/rules/dockerignore-missing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dockerignore-missing.js","sourceRoot":"","sources":["../../src/rules/dockerignore-missing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,wFAAwF;AACxF,MAAM,0BAA0B,GAAG,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;AAErD,2DAA2D;AAC3D,MAAM,6BAA6B,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAEvD,qDAAqD;AACrD,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,cAAc;IACd,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,QAAQ;IACR,OAAO;IACP,WAAW;IACX,UAAU;IACV,SAAS;IACT,OAAO;IACP,KAAK;IACL,MAAM;IACN,qBAAqB;IACrB,YAAY;IACZ,eAAe;IACf,SAAS;IACT,WAAW;IACX,OAAO;IACP,aAAa;CACL,CAAC;AAEX,qDAAqD;AACrD,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;AAEtD,yFAAyF;AACzF,SAAS,iBAAiB,CAAC,MAAc;IACvC,OAAO,qBAAqB,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;AACvD,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,kBAAkB,CAAC,mBAA2B;IAC5D,MAAM,KAAK,GAAG,mBAAmB;SAC9B,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SAClB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IAExC,OAAO,mBAAmB,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE;QACxC,kEAAkE;QAClE,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACxB,cAAc;YACd,IAAI,IAAI,KAAK,KAAK;gBAAE,OAAO,IAAI,CAAC;YAChC,+CAA+C;YAC/C,IAAI,IAAI,KAAK,KAAK;gBAAE,OAAO,IAAI,CAAC;YAChC,uEAAuE;YACvE,IAAI,IAAI,KAAK,GAAG,KAAK,GAAG;gBAAE,OAAO,IAAI,CAAC;YACtC,iDAAiD;YACjD,IAAI,GAAG,IAAI,GAAG,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC3E,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,qEAAqE;AACrE,SAAS,2BAA2B,CAAC,cAAwB;IAC3D,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAC3C,OAAO,0CAA0C,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;AAC/E,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAS;IAC3C,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,sBAAsB;IAC5B,WAAW,EAAE,mFAAmF;IAEhG,QAAQ,CAAC,YAA2B,EAAE,QAAqB;QACzD,MAAM,eAAe,GAAqB,EAAE,CAAC;QAE7C,wDAAwD;QACxD,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CACrC,CAAC,CAAC,EAAyC,EAAE,CAC3C,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,IAAI,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CACzE,CAAC;QAEF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,eAAe,CAAC;QAErD,2DAA2D;QAC3D,MAAM,cAAc,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAEtC,iFAAiF;QACjF,6EAA6E;QAC7E,eAAe,CAAC,IAAI,CAAC;YACnB,MAAM,EAAE,QAAQ;YAChB,QAAQ,EAAE,MAAM;YAChB,IAAI,EAAE,cAAc,CAAC,IAAI;YACzB,KAAK,EAAE,mDAAmD;YAC1D,WAAW,EACT,KAAK,cAAc,CAAC,IAAI,IAAI,cAAc,CAAC,MAAM,sCAAsC;gBACvF,2EAA2E;gBAC3E,6DAA6D;gBAC7D,wEAAwE;YAC1E,GAAG,EAAE,2BAA2B,CAAC,CAAC,GAAG,mBAAmB,CAAC,CAAC;YAC1D,qBAAqB,EAAE,0BAA0B;SAClD,CAAC,CAAC;QAEH,OAAO,eAAe,CAAC;IACzB,CAAC;CACF,CAAC"}

package/build/rules/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Rule registry - exports all optimization rules.
+ */
+import type { Rule } from '../types.js';
+/** All registered optimization rules */
+export declare const rules: Rule[];
+export { alpineSwapRule } from './alpine-swap.js';
+export { runMergeRule } from './run-merge.js';
+export { packageCacheCleanupRule } from './package-cache-cleanup.js';
+export { dockerignoreMissingRule } from './dockerignore-missing.js';
+export { unnecessaryPackagesRule } from './unnecessary-packages.js';

package/build/rules/index.js

@@ -0,0 +1,22 @@
+/**
+ * Rule registry - exports all optimization rules.
+ */
+import { alpineSwapRule } from './alpine-swap.js';
+import { runMergeRule } from './run-merge.js';
+import { packageCacheCleanupRule } from './package-cache-cleanup.js';
+import { dockerignoreMissingRule } from './dockerignore-missing.js';
+import { unnecessaryPackagesRule } from './unnecessary-packages.js';
+/** All registered optimization rules */
+export const rules = [
+    alpineSwapRule,
+    runMergeRule,
+    packageCacheCleanupRule,
+    dockerignoreMissingRule,
+    unnecessaryPackagesRule,
+];
+export { alpineSwapRule } from './alpine-swap.js';
+export { runMergeRule } from './run-merge.js';
+export { packageCacheCleanupRule } from './package-cache-cleanup.js';
+export { dockerignoreMissingRule } from './dockerignore-missing.js';
+export { unnecessaryPackagesRule } from './unnecessary-packages.js';
+//# sourceMappingURL=index.js.map

package/build/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AAEpE,wCAAwC;AACxC,MAAM,CAAC,MAAM,KAAK,GAAW;IAC3B,cAAc;IACd,YAAY;IACZ,uBAAuB;IACvB,uBAAuB;IACvB,uBAAuB;CACxB,CAAC;AAEF,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,uBAAuB,EAAE,MAAM,4BAA4B,CAAC;AACrE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAC"}

package/build/rules/package-cache-cleanup.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Package Cache Cleanup Rule (DSA003)
+ *
+ * Detects missing cache removal commands in package install layers.
+ * Checks for:
+ *   - apt-get install without `rm -rf /var/lib/apt/lists/*`
+ *   - apk add without `--no-cache` flag
+ *
+ * Package manager caches left in a layer bloat the final image by 20-200MB.
+ *
+ * Severity: HIGH — cache cleanup is a fundamental Docker best practice.
+ * Estimated savings: ~40MB for apt, ~10MB for apk.
+ */
+import type { Rule } from '../types.js';
+export declare const packageCacheCleanupRule: Rule;