@infograb/docker-slim-advisor 0.1.0

package/build/rules/package-cache-cleanup.js

@@ -0,0 +1,89 @@
+/**
+ * Package Cache Cleanup Rule (DSA003)
+ *
+ * Detects missing cache removal commands in package install layers.
+ * Checks for:
+ *   - apt-get install without `rm -rf /var/lib/apt/lists/*`
+ *   - apk add without `--no-cache` flag
+ *
+ * Package manager caches left in a layer bloat the final image by 20-200MB.
+ *
+ * Severity: HIGH — cache cleanup is a fundamental Docker best practice.
+ * Estimated savings: ~40MB for apt, ~10MB for apk.
+ */
+/** Estimated cache size left behind by apt-get (~40MB) */
+const APT_CACHE_BYTES = 40 * 1024 * 1024;
+/** Estimated cache size left behind by apk (~10MB) */
+const APK_CACHE_BYTES = 10 * 1024 * 1024;
+/** Check if command contains apt-get install */
+function hasAptInstall(command) {
+    return /apt-get\s+install/i.test(command);
+}
+/** Check if command removes apt cache */
+function hasAptCacheCleanup(command) {
+    // rm -rf /var/lib/apt/lists/*  OR  apt-get clean
+    return (/rm\s+-rf?\s+\/var\/lib\/apt\/lists/i.test(command) ||
+        /apt-get\s+clean/i.test(command));
+}
+/** Check if command contains apk add */
+function hasApkAdd(command) {
+    return /apk\s+(--\S+\s+)*add/i.test(command);
+}
+/** Check if apk add uses --no-cache flag */
+function hasApkNoCache(command) {
+    return /apk\s+(--\S+\s+)*add\s+(--\S+\s+)*--no-cache/i.test(command) ||
+        /apk\s+--no-cache\s+(--\S+\s+)*add/i.test(command);
+}
+/** Build fix suggestion for apt-get install */
+function buildAptFix(run) {
+    const cmd = run.command.trim();
+    return `RUN ${cmd} && \\\n    rm -rf /var/lib/apt/lists/*`;
+}
+/** Build fix suggestion for apk add (inject --no-cache) */
+function buildApkFix(run) {
+    const cmd = run.command.trim();
+    // Replace `apk [flags] add` with `apk add --no-cache`, removing intermediate flags
+    const fixed = cmd.replace(/apk\s+(--\S+\s+)*add/i, 'apk add --no-cache');
+    return `RUN ${fixed}`;
+}
+export const packageCacheCleanupRule = {
+    id: 'DSA003',
+    name: 'package-cache-cleanup',
+    description: 'Detects missing cache removal commands in package install layers',
+    evaluate(instructions, _context) {
+        const recommendations = [];
+        const runInstructions = instructions.filter((i) => i.type === 'RUN');
+        for (const run of runInstructions) {
+            const cmd = run.command;
+            // Check apt-get install without cache cleanup
+            if (hasAptInstall(cmd) && !hasAptCacheCleanup(cmd)) {
+                recommendations.push({
+                    ruleId: 'DSA003',
+                    severity: 'HIGH',
+                    line: run.line,
+                    title: 'apt-get install without cache cleanup',
+                    description: 'apt-get install leaves package lists in /var/lib/apt/lists/ ' +
+                        'adding ~40MB to the layer. Add `rm -rf /var/lib/apt/lists/*` ' +
+                        'or `apt-get clean` in the same RUN to remove them.',
+                    fix: buildAptFix(run),
+                    estimatedSavingsBytes: APT_CACHE_BYTES,
+                });
+            }
+            // Check apk add without --no-cache
+            if (hasApkAdd(cmd) && !hasApkNoCache(cmd)) {
+                recommendations.push({
+                    ruleId: 'DSA003',
+                    severity: 'HIGH',
+                    line: run.line,
+                    title: 'apk add without --no-cache',
+                    description: 'apk add without --no-cache leaves an index cache in /var/cache/apk/ ' +
+                        'adding ~10MB to the layer. Use `apk add --no-cache` to skip caching.',
+                    fix: buildApkFix(run),
+                    estimatedSavingsBytes: APK_CACHE_BYTES,
+                });
+            }
+        }
+        return recommendations;
+    },
+};
+//# sourceMappingURL=package-cache-cleanup.js.map

package/build/rules/package-cache-cleanup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-cache-cleanup.js","sourceRoot":"","sources":["../../src/rules/package-cache-cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,0DAA0D;AAC1D,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAEzC,sDAAsD;AACtD,MAAM,eAAe,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC;AAEzC,gDAAgD;AAChD,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED,yCAAyC;AACzC,SAAS,kBAAkB,CAAC,OAAe;IACzC,iDAAiD;IACjD,OAAO,CACL,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC;QACnD,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CACjC,CAAC;AACJ,CAAC;AAED,wCAAwC;AACxC,SAAS,SAAS,CAAC,OAAe;IAChC,OAAO,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC/C,CAAC;AAED,4CAA4C;AAC5C,SAAS,aAAa,CAAC,OAAe;IACpC,OAAO,+CAA+C,CAAC,IAAI,CAAC,OAAO,CAAC;QAClE,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACvD,CAAC;AAED,+CAA+C;AAC/C,SAAS,WAAW,CAAC,GAAmB;IACtC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,OAAO,OAAO,GAAG,yCAAyC,CAAC;AAC7D,CAAC;AAED,2DAA2D;AAC3D,SAAS,WAAW,CAAC,GAAmB;IACtC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,mFAAmF;IACnF,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,uBAAuB,EAAE,oBAAoB,CAAC,CAAC;IACzE,OAAO,OAAO,KAAK,EAAE,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAS;IAC3C,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EAAE,kEAAkE;IAE/E,QAAQ,CAAC,YAA2B,EAAE,QAAqB;QACzD,MAAM,eAAe,GAAqB,EAAE,CAAC;QAE7C,MAAM,eAAe,GAAG,YAAY,CAAC,MAAM,CACzC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAC7C,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;YAExB,8CAA8C;YAC9C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnD,eAAe,CAAC,IAAI,CAAC;oBACnB,MAAM,EAAE,QAAQ;oBAChB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EACT,8DAA8D;wBAC9D,+DAA+D;wBAC/D,oDAAoD;oBACtD,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC;oBACrB,qBAAqB,EAAE,eAAe;iBACvC,CAAC,CAAC;YACL,CAAC;YAED,mCAAmC;YACnC,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1C,eAAe,CAAC,IAAI,CAAC;oBACnB,MAAM,EAAE,QAAQ;oBAChB,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,4BAA4B;oBACnC,WAAW,EACT,sEAAsE;wBACtE,sEAAsE;oBACxE,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC;oBACrB,qBAAqB,EAAE,eAAe;iBACvC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF,CAAC"}

package/build/rules/run-merge.d.ts

@@ -0,0 +1,12 @@
+/**
+ * RUN Instruction Merge Rule (DSA002)
+ *
+ * Detects consecutive RUN commands and suggests combining them with && to
+ * reduce image layers. Each RUN creates a new layer in the Docker image;
+ * merging consecutive RUNs reduces layer count and total image size.
+ *
+ * Severity: HIGH when 4+ consecutive RUNs, MEDIUM for 2-3 consecutive RUNs.
+ * Estimated savings: ~5MB per eliminated layer (filesystem overhead).
+ */
+import type { Rule } from '../types.js';
+export declare const runMergeRule: Rule;

package/build/rules/run-merge.js

@@ -0,0 +1,67 @@
+/**
+ * RUN Instruction Merge Rule (DSA002)
+ *
+ * Detects consecutive RUN commands and suggests combining them with && to
+ * reduce image layers. Each RUN creates a new layer in the Docker image;
+ * merging consecutive RUNs reduces layer count and total image size.
+ *
+ * Severity: HIGH when 4+ consecutive RUNs, MEDIUM for 2-3 consecutive RUNs.
+ * Estimated savings: ~5MB per eliminated layer (filesystem overhead).
+ */
+/** Estimated filesystem overhead per layer in bytes (~5MB) */
+const LAYER_OVERHEAD_BYTES = 5 * 1024 * 1024;
+/** Group consecutive RUN instructions into clusters */
+function findConsecutiveRunGroups(instructions) {
+    const groups = [];
+    let currentGroup = [];
+    for (const instr of instructions) {
+        if (instr.type === 'RUN') {
+            currentGroup.push(instr);
+        }
+        else {
+            if (currentGroup.length >= 2) {
+                groups.push(currentGroup);
+            }
+            currentGroup = [];
+        }
+    }
+    // Flush trailing group
+    if (currentGroup.length >= 2) {
+        groups.push(currentGroup);
+    }
+    return groups;
+}
+/** Build a merged RUN command from multiple RUN instructions */
+function buildMergedCommand(runs) {
+    const commands = runs.map(r => r.command.trim());
+    const joined = commands.join(' && \\\n    ');
+    return `RUN ${joined}`;
+}
+export const runMergeRule = {
+    id: 'DSA002',
+    name: 'run-merge',
+    description: 'Detects consecutive RUN commands and suggests combining them to reduce image layers',
+    evaluate(instructions, _context) {
+        const groups = findConsecutiveRunGroups(instructions);
+        const recommendations = [];
+        for (const group of groups) {
+            const eliminatedLayers = group.length - 1;
+            const estimatedSavings = eliminatedLayers * LAYER_OVERHEAD_BYTES;
+            const severity = group.length >= 4 ? 'HIGH' : 'MEDIUM';
+            const lineRange = `${group[0].line}-${group[group.length - 1].line}`;
+            recommendations.push({
+                ruleId: 'DSA002',
+                severity,
+                line: group[0].line,
+                title: `Merge ${group.length} consecutive RUN instructions (lines ${lineRange})`,
+                description: `${group.length} consecutive RUN commands create ${group.length} separate layers. ` +
+                    `Combining them into a single RUN with && eliminates ${eliminatedLayers} layer(s), ` +
+                    `saving ~${Math.round(estimatedSavings / (1024 * 1024))}MB in filesystem overhead.`,
+                fix: buildMergedCommand(group),
+                estimatedSavingsBytes: estimatedSavings,
+            });
+        }
+        return recommendations;
+    },
+};
+//# sourceMappingURL=run-merge.js.map

package/build/rules/run-merge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-merge.js","sourceRoot":"","sources":["../../src/rules/run-merge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,8DAA8D;AAC9D,MAAM,oBAAoB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAE7C,uDAAuD;AACvD,SAAS,wBAAwB,CAAC,YAA2B;IAC3D,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,IAAI,YAAY,GAAqB,EAAE,CAAC;IAExC,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YACzB,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,IAAI,YAAY,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;gBAC7B,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC5B,CAAC;YACD,YAAY,GAAG,EAAE,CAAC;QACpB,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,YAAY,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gEAAgE;AAChE,SAAS,kBAAkB,CAAC,IAAsB;IAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC7C,OAAO,OAAO,MAAM,EAAE,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAS;IAChC,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,WAAW;IACjB,WAAW,EAAE,qFAAqF;IAElG,QAAQ,CAAC,YAA2B,EAAE,QAAqB;QACzD,MAAM,MAAM,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;QACtD,MAAM,eAAe,GAAqB,EAAE,CAAC;QAE7C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,gBAAgB,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;YAC1C,MAAM,gBAAgB,GAAG,gBAAgB,GAAG,oBAAoB,CAAC;YACjE,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC;YACvD,MAAM,SAAS,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAErE,eAAe,CAAC,IAAI,CAAC;gBACnB,MAAM,EAAE,QAAQ;gBAChB,QAAQ;gBACR,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI;gBACnB,KAAK,EAAE,SAAS,KAAK,CAAC,MAAM,wCAAwC,SAAS,GAAG;gBAChF,WAAW,EACT,GAAG,KAAK,CAAC,MAAM,oCAAoC,KAAK,CAAC,MAAM,oBAAoB;oBACnF,uDAAuD,gBAAgB,aAAa;oBACpF,WAAW,IAAI,CAAC,KAAK,CAAC,gBAAgB,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,4BAA4B;gBACrF,GAAG,EAAE,kBAAkB,CAAC,KAAK,CAAC;gBAC9B,qBAAqB,EAAE,gBAAgB;aACxC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF,CAAC"}

package/build/rules/unnecessary-packages.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Unnecessary Packages Rule (DSA005)
+ *
+ * Detects common dev-only or unnecessary packages left in production images.
+ * Categories:
+ *   - Build tools: build-essential, gcc, g++, make, cmake, etc.
+ *   - Editors: vim, nano, emacs, vi
+ *   - Debug/network tools: curl, wget, telnet, netcat, strace, gdb
+ *   - Documentation: man, man-db, manpages
+ *   - Version control: git, subversion
+ *
+ * These packages inflate image size and increase attack surface.
+ *
+ * Severity: MEDIUM — not as critical as cache cleanup but still impactful.
+ * Estimated savings: ~5MB per flagged package (conservative heuristic).
+ */
+import type { Rule } from '../types.js';
+/**
+ * Extract installed package names from a RUN command.
+ * Handles apt-get install, apk add, yum install, dnf install.
+ */
+export declare function extractInstalledPackages(command: string): string[];
+export declare const unnecessaryPackagesRule: Rule;

package/build/rules/unnecessary-packages.js

@@ -0,0 +1,184 @@
+/**
+ * Unnecessary Packages Rule (DSA005)
+ *
+ * Detects common dev-only or unnecessary packages left in production images.
+ * Categories:
+ *   - Build tools: build-essential, gcc, g++, make, cmake, etc.
+ *   - Editors: vim, nano, emacs, vi
+ *   - Debug/network tools: curl, wget, telnet, netcat, strace, gdb
+ *   - Documentation: man, man-db, manpages
+ *   - Version control: git, subversion
+ *
+ * These packages inflate image size and increase attack surface.
+ *
+ * Severity: MEDIUM — not as critical as cache cleanup but still impactful.
+ * Estimated savings: ~5MB per flagged package (conservative heuristic).
+ */
+/** Estimated bytes per unnecessary package (~5MB average) */
+const BYTES_PER_PACKAGE = 5 * 1024 * 1024;
+const PACKAGE_CATEGORIES = [
+    {
+        label: 'build tools',
+        packages: [
+            'build-essential', 'gcc', 'g++', 'make', 'cmake', 'autoconf',
+            'automake', 'libtool', 'pkg-config', 'cpp', 'dpkg-dev',
+        ],
+        savingsMultiplier: 3, // build tools are large (~15MB each)
+    },
+    {
+        label: 'editors',
+        packages: ['vim', 'vim-tiny', 'nano', 'emacs', 'emacs-nox', 'ed'],
+        savingsMultiplier: 1,
+    },
+    {
+        label: 'debug/network utilities',
+        packages: [
+            'curl', 'wget', 'telnet', 'netcat', 'netcat-openbsd', 'net-tools',
+            'strace', 'ltrace', 'gdb', 'tcpdump', 'iputils-ping', 'dnsutils',
+            'traceroute', 'nmap', 'socat', 'iproute2',
+        ],
+        savingsMultiplier: 1,
+    },
+    {
+        label: 'documentation',
+        packages: ['man', 'man-db', 'manpages', 'manpages-dev', 'info'],
+        savingsMultiplier: 1,
+    },
+    {
+        label: 'version control',
+        packages: ['git', 'subversion', 'mercurial', 'bzr'],
+        savingsMultiplier: 2, // git is ~10MB
+    },
+    {
+        label: 'dev libraries',
+        packages: [
+            'libssl-dev', 'libffi-dev', 'zlib1g-dev', 'libreadline-dev',
+            'libyaml-dev', 'libxml2-dev', 'libxslt1-dev', 'python3-dev',
+            'python3-pip', 'ruby-dev', 'default-jdk',
+        ],
+        savingsMultiplier: 2,
+    },
+];
+/** Build a lookup map: package name -> category for fast detection */
+function buildPackageLookup() {
+    const lookup = new Map();
+    for (const cat of PACKAGE_CATEGORIES) {
+        for (const pkg of cat.packages) {
+            lookup.set(pkg, cat);
+        }
+    }
+    return lookup;
+}
+const PACKAGE_LOOKUP = buildPackageLookup();
+/** Regex to match apt-get install or apk add commands */
+const APT_INSTALL_RE = /apt-get\s+(?:-\S+\s+)*install\s+(?:-\S+\s+)*/i;
+const APK_ADD_RE = /apk\s+(?:--\S+\s+)*add\s+(?:--\S+\s+)*/i;
+const YUM_INSTALL_RE = /yum\s+(?:-\S+\s+)*install\s+(?:-\S+\s+)*/i;
+const DNF_INSTALL_RE = /dnf\s+(?:-\S+\s+)*install\s+(?:-\S+\s+)*/i;
+/** Check if a RUN command removes the package later (e.g., apt-get remove/purge) */
+function hasPackageRemoval(command, pkg) {
+    // apt-get remove/purge, apk del, yum/dnf remove/erase
+    const removePatterns = [
+        new RegExp(`apt-get\\s+(?:remove|purge)\\s+[^&]*\\b${escapeRegex(pkg)}\\b`, 'i'),
+        new RegExp(`apk\\s+del\\s+[^&]*\\b${escapeRegex(pkg)}\\b`, 'i'),
+        new RegExp(`(?:yum|dnf)\\s+(?:remove|erase)\\s+[^&]*\\b${escapeRegex(pkg)}\\b`, 'i'),
+    ];
+    return removePatterns.some(re => re.test(command));
+}
+/** Escape regex special characters */
+function escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/**
+ * Extract installed package names from a RUN command.
+ * Handles apt-get install, apk add, yum install, dnf install.
+ */
+export function extractInstalledPackages(command) {
+    const packages = [];
+    const matchers = [APT_INSTALL_RE, APK_ADD_RE, YUM_INSTALL_RE, DNF_INSTALL_RE];
+    for (const matcher of matchers) {
+        const match = command.match(matcher);
+        if (!match)
+            continue;
+        // Get text after the install command until next && or end
+        const afterInstall = command.slice(match.index + match[0].length);
+        // Split on && to isolate just the install portion
+        const installPortion = afterInstall.split(/&&/)[0];
+        // Extract tokens that look like package names (not flags)
+        const tokens = installPortion.split(/\s+/).filter(t => t.length > 0 &&
+            !t.startsWith('-') &&
+            !t.startsWith('/') &&
+            !t.startsWith('$') &&
+            !t.includes('=') &&
+            t !== '\\' &&
+            !/^[|;>&]/.test(t));
+        packages.push(...tokens);
+    }
+    return packages;
+}
+export const unnecessaryPackagesRule = {
+    id: 'DSA005',
+    name: 'unnecessary-packages',
+    description: 'Detects dev-only or unnecessary packages left in production images',
+    evaluate(instructions, _context) {
+        const recommendations = [];
+        const runInstructions = instructions.filter((i) => i.type === 'RUN');
+        // Collect all commands to check for later removal across RUN layers
+        const allCommands = runInstructions.map(r => r.command).join(' && ');
+        for (const run of runInstructions) {
+            const installed = extractInstalledPackages(run.command);
+            /** Group detected packages by category for a single recommendation per category */
+            const detectedByCategory = new Map();
+            for (const pkg of installed) {
+                const category = PACKAGE_LOOKUP.get(pkg);
+                if (!category)
+                    continue;
+                // Skip if the package is removed later in the same or another RUN
+                if (hasPackageRemoval(allCommands, pkg))
+                    continue;
+                const key = category.label;
+                if (!detectedByCategory.has(key)) {
+                    detectedByCategory.set(key, { category, packages: [] });
+                }
+                detectedByCategory.get(key).packages.push(pkg);
+            }
+            // Emit one recommendation per category per RUN instruction
+            for (const [, { category, packages: pkgs }] of detectedByCategory) {
+                const pkgList = pkgs.join(', ');
+                const savings = pkgs.length * BYTES_PER_PACKAGE * category.savingsMultiplier;
+                recommendations.push({
+                    ruleId: 'DSA005',
+                    severity: 'MEDIUM',
+                    line: run.line,
+                    title: `Unnecessary ${category.label} in production image`,
+                    description: `Found ${category.label} package(s) [${pkgList}] installed but not removed. ` +
+                        'These add size and attack surface in production. ' +
+                        'Remove them after build steps or use a multi-stage build.',
+                    fix: buildFix(run, pkgs),
+                    estimatedSavingsBytes: savings,
+                });
+            }
+        }
+        return recommendations;
+    },
+};
+/** Build fix suggestion: append apt-get purge / apk del for the packages */
+function buildFix(run, packages) {
+    const cmd = run.command.trim();
+    const pkgList = packages.join(' ');
+    if (/apt-get/i.test(cmd)) {
+        return `RUN ${cmd} && \\\n    apt-get purge -y --auto-remove ${pkgList} && \\\n    rm -rf /var/lib/apt/lists/*`;
+    }
+    if (/apk/i.test(cmd)) {
+        return `RUN ${cmd} && \\\n    apk del ${pkgList}`;
+    }
+    if (/yum/i.test(cmd)) {
+        return `RUN ${cmd} && \\\n    yum remove -y ${pkgList} && yum clean all`;
+    }
+    if (/dnf/i.test(cmd)) {
+        return `RUN ${cmd} && \\\n    dnf remove -y ${pkgList} && dnf clean all`;
+    }
+    // Fallback: generic suggestion
+    return `RUN ${cmd}\n# TODO: Remove unnecessary packages: ${pkgList}`;
+}
+//# sourceMappingURL=unnecessary-packages.js.map

package/build/rules/unnecessary-packages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unnecessary-packages.js","sourceRoot":"","sources":["../../src/rules/unnecessary-packages.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,6DAA6D;AAC7D,MAAM,iBAAiB,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAS1C,MAAM,kBAAkB,GAAsB;IAC5C;QACE,KAAK,EAAE,aAAa;QACpB,QAAQ,EAAE;YACR,iBAAiB,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;YAC5D,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,KAAK,EAAE,UAAU;SACvD;QACD,iBAAiB,EAAE,CAAC,EAAE,qCAAqC;KAC5D;IACD;QACE,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,CAAC,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,CAAC;QACjE,iBAAiB,EAAE,CAAC;KACrB;IACD;QACE,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE;YACR,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,EAAE,WAAW;YACjE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,UAAU;YAChE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;SAC1C;QACD,iBAAiB,EAAE,CAAC;KACrB;IACD;QACE,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,CAAC;QAC/D,iBAAiB,EAAE,CAAC;KACrB;IACD;QACE,KAAK,EAAE,iBAAiB;QACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,KAAK,CAAC;QACnD,iBAAiB,EAAE,CAAC,EAAE,eAAe;KACtC;IACD;QACE,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE;YACR,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,iBAAiB;YAC3D,aAAa,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa;YAC3D,aAAa,EAAE,UAAU,EAAE,aAAa;SACzC;QACD,iBAAiB,EAAE,CAAC;KACrB;CACF,CAAC;AAEF,sEAAsE;AACtE,SAAS,kBAAkB;IACzB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA2B,CAAC;IAClD,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC/B,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,cAAc,GAAG,kBAAkB,EAAE,CAAC;AAE5C,yDAAyD;AACzD,MAAM,cAAc,GAAG,+CAA+C,CAAC;AACvE,MAAM,UAAU,GAAG,yCAAyC,CAAC;AAC7D,MAAM,cAAc,GAAG,2CAA2C,CAAC;AACnE,MAAM,cAAc,GAAG,2CAA2C,CAAC;AAEnE,oFAAoF;AACpF,SAAS,iBAAiB,CAAC,OAAe,EAAE,GAAW;IACrD,sDAAsD;IACtD,MAAM,cAAc,GAAG;QACrB,IAAI,MAAM,CAAC,0CAA0C,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC;QAChF,IAAI,MAAM,CAAC,yBAAyB,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC;QAC/D,IAAI,MAAM,CAAC,8CAA8C,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC;KACrF,CAAC;IACF,OAAO,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,sCAAsC;AACtC,SAAS,WAAW,CAAC,GAAW;IAC9B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACpD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAe;IACtD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,MAAM,QAAQ,GAAG,CAAC,cAAc,EAAE,UAAU,EAAE,cAAc,EAAE,cAAc,CAAC,CAAC;IAE9E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,0DAA0D;QAC1D,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,KAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACnE,kDAAkD;QAClD,MAAM,cAAc,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnD,0DAA0D;QAC1D,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACpD,CAAC,CAAC,MAAM,GAAG,CAAC;YACZ,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAClB,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAClB,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAClB,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;YAChB,CAAC,KAAK,IAAI;YACV,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CACnB,CAAC;QAEF,QAAQ,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAAS;IAC3C,EAAE,EAAE,QAAQ;IACZ,IAAI,EAAE,sBAAsB;IAC5B,WAAW,EAAE,oEAAoE;IAEjF,QAAQ,CAAC,YAA2B,EAAE,QAAqB;QACzD,MAAM,eAAe,GAAqB,EAAE,CAAC;QAE7C,MAAM,eAAe,GAAG,YAAY,CAAC,MAAM,CACzC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAC7C,CAAC;QAEF,oEAAoE;QACpE,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAErE,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;YAClC,MAAM,SAAS,GAAG,wBAAwB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACxD,mFAAmF;YACnF,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAA6D,CAAC;YAEhG,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACzC,IAAI,CAAC,QAAQ;oBAAE,SAAS;gBAExB,kEAAkE;gBAClE,IAAI,iBAAiB,CAAC,WAAW,EAAE,GAAG,CAAC;oBAAE,SAAS;gBAElD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC;gBAC3B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,kBAAkB,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;gBAC1D,CAAC;gBACD,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClD,CAAC;YAED,2DAA2D;YAC3D,KAAK,MAAM,CAAC,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,IAAI,kBAAkB,EAAE,CAAC;gBAClE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,GAAG,iBAAiB,GAAG,QAAQ,CAAC,iBAAiB,CAAC;gBAE7E,eAAe,CAAC,IAAI,CAAC;oBACnB,MAAM,EAAE,QAAQ;oBAChB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,KAAK,EAAE,eAAe,QAAQ,CAAC,KAAK,sBAAsB;oBAC1D,WAAW,EACT,SAAS,QAAQ,CAAC,KAAK,gBAAgB,OAAO,+BAA+B;wBAC7E,mDAAmD;wBACnD,2DAA2D;oBAC7D,GAAG,EAAE,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC;oBACxB,qBAAqB,EAAE,OAAO;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;CACF,CAAC;AAEF,4EAA4E;AAC5E,SAAS,QAAQ,CAAC,GAAmB,EAAE,QAAkB;IACvD,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEnC,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,OAAO,GAAG,8CAA8C,OAAO,yCAAyC,CAAC;IAClH,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,OAAO,GAAG,uBAAuB,OAAO,EAAE,CAAC;IACpD,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,OAAO,GAAG,6BAA6B,OAAO,mBAAmB,CAAC;IAC3E,CAAC;IACD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO,OAAO,GAAG,6BAA6B,OAAO,mBAAmB,CAAC;IAC3E,CAAC;IAED,+BAA+B;IAC/B,OAAO,OAAO,GAAG,0CAA0C,OAAO,EAAE,CAAC;AACvE,CAAC"}

package/build/severity-filter.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Severity filtering utilities shared across CLI, exit codes, and formatters.
+ *
+ * Provides a single source of truth for severity ranking and filtering
+ * so that --severity flag, exit code logic, and output formatters all
+ * use consistent behavior.
+ */
+import type { Recommendation, Severity } from './types.js';
+/** Valid severity level strings (uppercase) */
+export declare const SEVERITY_LEVELS: readonly Severity[];
+/** Severity ranking for comparison (higher number = more severe) */
+export declare const SEVERITY_RANK: Record<Severity, number>;
+/**
+ * Check whether a string is a valid Severity level (case-insensitive).
+ */
+export declare function isValidSeverity(value: string): value is Severity;
+/**
+ * Filter recommendations to only those at or above the minimum severity.
+ *
+ * Example: minSeverity='MEDIUM' keeps MEDIUM and HIGH, drops LOW.
+ */
+export declare function filterBySeverity(recommendations: Recommendation[], minSeverity: Severity): Recommendation[];

package/build/severity-filter.js

@@ -0,0 +1,31 @@
+/**
+ * Severity filtering utilities shared across CLI, exit codes, and formatters.
+ *
+ * Provides a single source of truth for severity ranking and filtering
+ * so that --severity flag, exit code logic, and output formatters all
+ * use consistent behavior.
+ */
+/** Valid severity level strings (uppercase) */
+export const SEVERITY_LEVELS = ['LOW', 'MEDIUM', 'HIGH'];
+/** Severity ranking for comparison (higher number = more severe) */
+export const SEVERITY_RANK = {
+    LOW: 0,
+    MEDIUM: 1,
+    HIGH: 2,
+};
+/**
+ * Check whether a string is a valid Severity level (case-insensitive).
+ */
+export function isValidSeverity(value) {
+    return SEVERITY_LEVELS.includes(value.toUpperCase());
+}
+/**
+ * Filter recommendations to only those at or above the minimum severity.
+ *
+ * Example: minSeverity='MEDIUM' keeps MEDIUM and HIGH, drops LOW.
+ */
+export function filterBySeverity(recommendations, minSeverity) {
+    const minRank = SEVERITY_RANK[minSeverity];
+    return recommendations.filter((r) => SEVERITY_RANK[r.severity] >= minRank);
+}
+//# sourceMappingURL=severity-filter.js.map

package/build/severity-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"severity-filter.js","sourceRoot":"","sources":["../src/severity-filter.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,+CAA+C;AAC/C,MAAM,CAAC,MAAM,eAAe,GAAwB,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAU,CAAC;AAEvF,oEAAoE;AACpE,MAAM,CAAC,MAAM,aAAa,GAA6B;IACrD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,OAAO,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAc,CAAC,CAAC;AACnE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,eAAiC,EACjC,WAAqB;IAErB,MAAM,OAAO,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAC3C,OAAO,eAAe,CAAC,MAAM,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,OAAO,CAC5C,CAAC;AACJ,CAAC"}

package/build/size-estimator.d.ts

@@ -0,0 +1,35 @@
+/**
+ * Size prediction engine — estimates Before/After image sizes from parsed
+ * Dockerfile instructions using base image DB lookups + layer heuristics.
+ *
+ * Strategy:
+ * - Base image: direct DB lookup via getImageSize()
+ * - RUN layers: heuristic by command type (apt install, pip, npm, etc.)
+ * - COPY/ADD: rough estimates based on source patterns
+ * - After: subtract recommendation savings from before estimate
+ */
+import type { Instruction, Recommendation } from './types.js';
+/** Estimated savings from cache cleanup (apt-get clean, etc.) */
+export declare const APT_CACHE_CLEANUP_SAVINGS = 30000000;
+export declare const APK_CACHE_CLEANUP_SAVINGS = 10000000;
+export interface SizeEstimate {
+    baseImageBytes: number;
+    layerBytes: number;
+    totalBytes: number;
+}
+/**
+ * Estimate the "before" (current) image size from parsed instructions.
+ */
+export declare function estimateBeforeSize(instructions: Instruction[], getImageSizeFn: (image: string, tag: string) => number | undefined): SizeEstimate;
+/**
+ * Estimate the "after" (optimized) image size by subtracting recommendation savings.
+ * If a base-image swap recommendation exists, uses the alternative base size.
+ */
+export declare function estimateAfterSize(beforeSize: SizeEstimate, recommendations: Recommendation[], newBaseImageBytes?: number): SizeEstimate;
+/** Calculate size reduction percentage (0 if beforeBytes is 0) */
+export declare function calcSizeReductionPercent(beforeBytes: number, afterBytes: number): number;
+/**
+ * Estimate cache cleanup savings for a RUN command string.
+ * Used by optimization rules to populate estimatedSavingsBytes.
+ */
+export declare function estimateCacheCleanupSavings(command: string): number;