@opensip-cli/checks-universal 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -0
- package/NOTICE +8 -0
- package/README.md +31 -0
- package/dist/__tests__/all-checks-execute.test.d.ts +17 -0
- package/dist/__tests__/all-checks-execute.test.d.ts.map +1 -0
- package/dist/__tests__/all-checks-execute.test.js +452 -0
- package/dist/__tests__/all-checks-execute.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-10.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-10.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-10.test.js +200 -0
- package/dist/__tests__/behavior-fixtures-10.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-11.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-11.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-11.test.js +120 -0
- package/dist/__tests__/behavior-fixtures-11.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-12.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-12.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-12.test.js +157 -0
- package/dist/__tests__/behavior-fixtures-12.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-2.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-2.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-2.test.js +785 -0
- package/dist/__tests__/behavior-fixtures-2.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-3.test.d.ts +6 -0
- package/dist/__tests__/behavior-fixtures-3.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-3.test.js +663 -0
- package/dist/__tests__/behavior-fixtures-3.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-4.test.d.ts +5 -0
- package/dist/__tests__/behavior-fixtures-4.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-4.test.js +612 -0
- package/dist/__tests__/behavior-fixtures-4.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-5.test.d.ts +5 -0
- package/dist/__tests__/behavior-fixtures-5.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-5.test.js +469 -0
- package/dist/__tests__/behavior-fixtures-5.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-6.test.d.ts +8 -0
- package/dist/__tests__/behavior-fixtures-6.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-6.test.js +591 -0
- package/dist/__tests__/behavior-fixtures-6.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-7.test.d.ts +5 -0
- package/dist/__tests__/behavior-fixtures-7.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-7.test.js +662 -0
- package/dist/__tests__/behavior-fixtures-7.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-8.test.d.ts +11 -0
- package/dist/__tests__/behavior-fixtures-8.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-8.test.js +634 -0
- package/dist/__tests__/behavior-fixtures-8.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures-9.test.d.ts +11 -0
- package/dist/__tests__/behavior-fixtures-9.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures-9.test.js +271 -0
- package/dist/__tests__/behavior-fixtures-9.test.js.map +1 -0
- package/dist/__tests__/behavior-fixtures.test.d.ts +14 -0
- package/dist/__tests__/behavior-fixtures.test.d.ts.map +1 -0
- package/dist/__tests__/behavior-fixtures.test.js +1423 -0
- package/dist/__tests__/behavior-fixtures.test.js.map +1 -0
- package/dist/__tests__/checks.test.d.ts +2 -0
- package/dist/__tests__/checks.test.d.ts.map +1 -0
- package/dist/__tests__/checks.test.js +61 -0
- package/dist/__tests__/checks.test.js.map +1 -0
- package/dist/__tests__/env-var-validation.test.d.ts +14 -0
- package/dist/__tests__/env-var-validation.test.d.ts.map +1 -0
- package/dist/__tests__/env-var-validation.test.js +53 -0
- package/dist/__tests__/env-var-validation.test.js.map +1 -0
- package/dist/__tests__/file-length-limit.test.d.ts +2 -0
- package/dist/__tests__/file-length-limit.test.d.ts.map +1 -0
- package/dist/__tests__/file-length-limit.test.js +29 -0
- package/dist/__tests__/file-length-limit.test.js.map +1 -0
- package/dist/__tests__/fixture-coverage.allowlist.d.ts +18 -0
- package/dist/__tests__/fixture-coverage.allowlist.d.ts.map +1 -0
- package/dist/__tests__/fixture-coverage.allowlist.js +35 -0
- package/dist/__tests__/fixture-coverage.allowlist.js.map +1 -0
- package/dist/__tests__/fixture-coverage.test.d.ts +13 -0
- package/dist/__tests__/fixture-coverage.test.d.ts.map +1 -0
- package/dist/__tests__/fixture-coverage.test.js +57 -0
- package/dist/__tests__/fixture-coverage.test.js.map +1 -0
- package/dist/__tests__/iic.test.d.ts +15 -0
- package/dist/__tests__/iic.test.d.ts.map +1 -0
- package/dist/__tests__/iic.test.js +316 -0
- package/dist/__tests__/iic.test.js.map +1 -0
- package/dist/__tests__/no-skipped-tests.test.d.ts +14 -0
- package/dist/__tests__/no-skipped-tests.test.d.ts.map +1 -0
- package/dist/__tests__/no-skipped-tests.test.js +144 -0
- package/dist/__tests__/no-skipped-tests.test.js.map +1 -0
- package/dist/__tests__/no-todo-comments.test.d.ts +2 -0
- package/dist/__tests__/no-todo-comments.test.d.ts.map +1 -0
- package/dist/__tests__/no-todo-comments.test.js +31 -0
- package/dist/__tests__/no-todo-comments.test.js.map +1 -0
- package/dist/__tests__/no-unimplemented-markers.test.d.ts +2 -0
- package/dist/__tests__/no-unimplemented-markers.test.d.ts.map +1 -0
- package/dist/__tests__/no-unimplemented-markers.test.js +140 -0
- package/dist/__tests__/no-unimplemented-markers.test.js.map +1 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.d.ts +10 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.d.ts.map +1 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.js +176 -0
- package/dist/__tests__/public-api-jsdoc-scope.test.js.map +1 -0
- package/dist/__tests__/resilience-fp.test.d.ts +14 -0
- package/dist/__tests__/resilience-fp.test.d.ts.map +1 -0
- package/dist/__tests__/resilience-fp.test.js +110 -0
- package/dist/__tests__/resilience-fp.test.js.map +1 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.d.ts +2 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.d.ts.map +1 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.js +32 -0
- package/dist/checks/architecture/__tests__/no-kebab-option-indexing.test.js.map +1 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.d.ts +2 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.d.ts.map +1 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.js +152 -0
- package/dist/checks/architecture/__tests__/tool-has-manifest.test.js.map +1 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.d.ts +2 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.d.ts.map +1 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.js +129 -0
- package/dist/checks/architecture/__tests__/vitest-config-required-with-tests.test.js.map +1 -0
- package/dist/checks/architecture/_yaml-doc-bindings.d.ts +23 -0
- package/dist/checks/architecture/_yaml-doc-bindings.d.ts.map +1 -0
- package/dist/checks/architecture/_yaml-doc-bindings.js +29 -0
- package/dist/checks/architecture/_yaml-doc-bindings.js.map +1 -0
- package/dist/checks/architecture/dependencies/index.d.ts +2 -0
- package/dist/checks/architecture/dependencies/index.d.ts.map +1 -0
- package/dist/checks/architecture/dependencies/index.js +2 -0
- package/dist/checks/architecture/dependencies/index.js.map +1 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.d.ts +11 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.d.ts.map +1 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.js +171 -0
- package/dist/checks/architecture/dependencies/no-duplicate-packages.js.map +1 -0
- package/dist/checks/architecture/docker-best-practices.d.ts +23 -0
- package/dist/checks/architecture/docker-best-practices.d.ts.map +1 -0
- package/dist/checks/architecture/docker-best-practices.js +427 -0
- package/dist/checks/architecture/docker-best-practices.js.map +1 -0
- package/dist/checks/architecture/docker-ignore-validation.d.ts +18 -0
- package/dist/checks/architecture/docker-ignore-validation.d.ts.map +1 -0
- package/dist/checks/architecture/docker-ignore-validation.js +117 -0
- package/dist/checks/architecture/docker-ignore-validation.js.map +1 -0
- package/dist/checks/architecture/docker-version-sync.d.ts +16 -0
- package/dist/checks/architecture/docker-version-sync.d.ts.map +1 -0
- package/dist/checks/architecture/docker-version-sync.js +193 -0
- package/dist/checks/architecture/docker-version-sync.js.map +1 -0
- package/dist/checks/architecture/env-var-validation.d.ts +14 -0
- package/dist/checks/architecture/env-var-validation.d.ts.map +1 -0
- package/dist/checks/architecture/env-var-validation.js +289 -0
- package/dist/checks/architecture/env-var-validation.js.map +1 -0
- package/dist/checks/architecture/heavy-import-detection.d.ts +11 -0
- package/dist/checks/architecture/heavy-import-detection.d.ts.map +1 -0
- package/dist/checks/architecture/heavy-import-detection.js +91 -0
- package/dist/checks/architecture/heavy-import-detection.js.map +1 -0
- package/dist/checks/architecture/index.d.ts +16 -0
- package/dist/checks/architecture/index.d.ts.map +1 -0
- package/dist/checks/architecture/index.js +16 -0
- package/dist/checks/architecture/index.js.map +1 -0
- package/dist/checks/architecture/modules/empty-package-detection.d.ts +11 -0
- package/dist/checks/architecture/modules/empty-package-detection.d.ts.map +1 -0
- package/dist/checks/architecture/modules/empty-package-detection.js +277 -0
- package/dist/checks/architecture/modules/empty-package-detection.js.map +1 -0
- package/dist/checks/architecture/modules/index.d.ts +3 -0
- package/dist/checks/architecture/modules/index.d.ts.map +1 -0
- package/dist/checks/architecture/modules/index.js +3 -0
- package/dist/checks/architecture/modules/index.js.map +1 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.d.ts +12 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.d.ts.map +1 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.js +555 -0
- package/dist/checks/architecture/modules/interface-implementation-consistency.js.map +1 -0
- package/dist/checks/architecture/no-custom-event-emitter.d.ts +11 -0
- package/dist/checks/architecture/no-custom-event-emitter.d.ts.map +1 -0
- package/dist/checks/architecture/no-custom-event-emitter.js +123 -0
- package/dist/checks/architecture/no-custom-event-emitter.js.map +1 -0
- package/dist/checks/architecture/no-kebab-option-indexing.d.ts +33 -0
- package/dist/checks/architecture/no-kebab-option-indexing.d.ts.map +1 -0
- package/dist/checks/architecture/no-kebab-option-indexing.js +81 -0
- package/dist/checks/architecture/no-kebab-option-indexing.js.map +1 -0
- package/dist/checks/architecture/node-version-consistency.d.ts +22 -0
- package/dist/checks/architecture/node-version-consistency.d.ts.map +1 -0
- package/dist/checks/architecture/node-version-consistency.js +225 -0
- package/dist/checks/architecture/node-version-consistency.js.map +1 -0
- package/dist/checks/architecture/project-readme-existence.d.ts +13 -0
- package/dist/checks/architecture/project-readme-existence.d.ts.map +1 -0
- package/dist/checks/architecture/project-readme-existence.js +55 -0
- package/dist/checks/architecture/project-readme-existence.js.map +1 -0
- package/dist/checks/architecture/stale-build-artifacts.d.ts +10 -0
- package/dist/checks/architecture/stale-build-artifacts.d.ts.map +1 -0
- package/dist/checks/architecture/stale-build-artifacts.js +55 -0
- package/dist/checks/architecture/stale-build-artifacts.js.map +1 -0
- package/dist/checks/architecture/tool-has-manifest.d.ts +27 -0
- package/dist/checks/architecture/tool-has-manifest.d.ts.map +1 -0
- package/dist/checks/architecture/tool-has-manifest.js +135 -0
- package/dist/checks/architecture/tool-has-manifest.js.map +1 -0
- package/dist/checks/architecture/vitest-config-extends-base.d.ts +15 -0
- package/dist/checks/architecture/vitest-config-extends-base.d.ts.map +1 -0
- package/dist/checks/architecture/vitest-config-extends-base.js +104 -0
- package/dist/checks/architecture/vitest-config-extends-base.js.map +1 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.d.ts +49 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.d.ts.map +1 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.js +199 -0
- package/dist/checks/architecture/vitest-config-required-with-tests.js.map +1 -0
- package/dist/checks/documentation/_directives/eslint.d.ts +9 -0
- package/dist/checks/documentation/_directives/eslint.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/eslint.js +168 -0
- package/dist/checks/documentation/_directives/eslint.js.map +1 -0
- package/dist/checks/documentation/_directives/fitness.d.ts +9 -0
- package/dist/checks/documentation/_directives/fitness.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/fitness.js +64 -0
- package/dist/checks/documentation/_directives/fitness.js.map +1 -0
- package/dist/checks/documentation/_directives/graph.d.ts +10 -0
- package/dist/checks/documentation/_directives/graph.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/graph.js +65 -0
- package/dist/checks/documentation/_directives/graph.js.map +1 -0
- package/dist/checks/documentation/_directives/graph.test.d.ts +2 -0
- package/dist/checks/documentation/_directives/graph.test.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/graph.test.js +54 -0
- package/dist/checks/documentation/_directives/graph.test.js.map +1 -0
- package/dist/checks/documentation/_directives/semgrep.d.ts +8 -0
- package/dist/checks/documentation/_directives/semgrep.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/semgrep.js +72 -0
- package/dist/checks/documentation/_directives/semgrep.js.map +1 -0
- package/dist/checks/documentation/_directives/types.d.ts +21 -0
- package/dist/checks/documentation/_directives/types.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/types.js +9 -0
- package/dist/checks/documentation/_directives/types.js.map +1 -0
- package/dist/checks/documentation/_directives/typescript.d.ts +10 -0
- package/dist/checks/documentation/_directives/typescript.d.ts.map +1 -0
- package/dist/checks/documentation/_directives/typescript.js +54 -0
- package/dist/checks/documentation/_directives/typescript.js.map +1 -0
- package/dist/checks/documentation/_public-api-graph.d.ts +30 -0
- package/dist/checks/documentation/_public-api-graph.d.ts.map +1 -0
- package/dist/checks/documentation/_public-api-graph.js +304 -0
- package/dist/checks/documentation/_public-api-graph.js.map +1 -0
- package/dist/checks/documentation/directive-audit.d.ts +26 -0
- package/dist/checks/documentation/directive-audit.d.ts.map +1 -0
- package/dist/checks/documentation/directive-audit.js +144 -0
- package/dist/checks/documentation/directive-audit.js.map +1 -0
- package/dist/checks/documentation/index.d.ts +3 -0
- package/dist/checks/documentation/index.d.ts.map +1 -0
- package/dist/checks/documentation/index.js +3 -0
- package/dist/checks/documentation/index.js.map +1 -0
- package/dist/checks/documentation/public-api-jsdoc.d.ts +10 -0
- package/dist/checks/documentation/public-api-jsdoc.d.ts.map +1 -0
- package/dist/checks/documentation/public-api-jsdoc.js +131 -0
- package/dist/checks/documentation/public-api-jsdoc.js.map +1 -0
- package/dist/checks/file-length-limit.d.ts +16 -0
- package/dist/checks/file-length-limit.d.ts.map +1 -0
- package/dist/checks/file-length-limit.js +47 -0
- package/dist/checks/file-length-limit.js.map +1 -0
- package/dist/checks/index.d.ts +16 -0
- package/dist/checks/index.d.ts.map +1 -0
- package/dist/checks/index.js +16 -0
- package/dist/checks/index.js.map +1 -0
- package/dist/checks/no-todo-comments.d.ts +18 -0
- package/dist/checks/no-todo-comments.d.ts.map +1 -0
- package/dist/checks/no-todo-comments.js +79 -0
- package/dist/checks/no-todo-comments.js.map +1 -0
- package/dist/checks/no-unimplemented-markers.d.ts +24 -0
- package/dist/checks/no-unimplemented-markers.d.ts.map +1 -0
- package/dist/checks/no-unimplemented-markers.js +198 -0
- package/dist/checks/no-unimplemented-markers.js.map +1 -0
- package/dist/checks/quality/api/graphql-offset-pagination.d.ts +9 -0
- package/dist/checks/quality/api/graphql-offset-pagination.d.ts.map +1 -0
- package/dist/checks/quality/api/graphql-offset-pagination.js +63 -0
- package/dist/checks/quality/api/graphql-offset-pagination.js.map +1 -0
- package/dist/checks/quality/api/index.d.ts +3 -0
- package/dist/checks/quality/api/index.d.ts.map +1 -0
- package/dist/checks/quality/api/index.js +3 -0
- package/dist/checks/quality/api/index.js.map +1 -0
- package/dist/checks/quality/api/zod-openapi-sync.d.ts +13 -0
- package/dist/checks/quality/api/zod-openapi-sync.d.ts.map +1 -0
- package/dist/checks/quality/api/zod-openapi-sync.js +88 -0
- package/dist/checks/quality/api/zod-openapi-sync.js.map +1 -0
- package/dist/checks/quality/code-structure/dead-code.d.ts +12 -0
- package/dist/checks/quality/code-structure/dead-code.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/dead-code.js +238 -0
- package/dist/checks/quality/code-structure/dead-code.js.map +1 -0
- package/dist/checks/quality/code-structure/index.d.ts +5 -0
- package/dist/checks/quality/code-structure/index.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/index.js +5 -0
- package/dist/checks/quality/code-structure/index.js.map +1 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.d.ts +25 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.js +76 -0
- package/dist/checks/quality/code-structure/no-ai-attribution.js.map +1 -0
- package/dist/checks/quality/code-structure/no-console-log.d.ts +17 -0
- package/dist/checks/quality/code-structure/no-console-log.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/no-console-log.js +106 -0
- package/dist/checks/quality/code-structure/no-console-log.js.map +1 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.d.ts +25 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.d.ts.map +1 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.js +104 -0
- package/dist/checks/quality/code-structure/no-process-artifacts.js.map +1 -0
- package/dist/checks/quality/dependency-version-consistency.d.ts +20 -0
- package/dist/checks/quality/dependency-version-consistency.d.ts.map +1 -0
- package/dist/checks/quality/dependency-version-consistency.js +266 -0
- package/dist/checks/quality/dependency-version-consistency.js.map +1 -0
- package/dist/checks/quality/fitness-ignore-hygiene.d.ts +10 -0
- package/dist/checks/quality/fitness-ignore-hygiene.d.ts.map +1 -0
- package/dist/checks/quality/fitness-ignore-hygiene.js +93 -0
- package/dist/checks/quality/fitness-ignore-hygiene.js.map +1 -0
- package/dist/checks/quality/frontend/expo-vector-icons.d.ts +13 -0
- package/dist/checks/quality/frontend/expo-vector-icons.d.ts.map +1 -0
- package/dist/checks/quality/frontend/expo-vector-icons.js +80 -0
- package/dist/checks/quality/frontend/expo-vector-icons.js.map +1 -0
- package/dist/checks/quality/frontend/image-optimization.d.ts +13 -0
- package/dist/checks/quality/frontend/image-optimization.d.ts.map +1 -0
- package/dist/checks/quality/frontend/image-optimization.js +166 -0
- package/dist/checks/quality/frontend/image-optimization.js.map +1 -0
- package/dist/checks/quality/frontend/index.d.ts +4 -0
- package/dist/checks/quality/frontend/index.d.ts.map +1 -0
- package/dist/checks/quality/frontend/index.js +4 -0
- package/dist/checks/quality/frontend/index.js.map +1 -0
- package/dist/checks/quality/frontend/navigation-typing.d.ts +12 -0
- package/dist/checks/quality/frontend/navigation-typing.d.ts.map +1 -0
- package/dist/checks/quality/frontend/navigation-typing.js +77 -0
- package/dist/checks/quality/frontend/navigation-typing.js.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.d.ts +10 -0
- package/dist/checks/quality/graph-ignore-hygiene.d.ts.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.js +95 -0
- package/dist/checks/quality/graph-ignore-hygiene.js.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.d.ts +14 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.d.ts.map +1 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.js +58 -0
- package/dist/checks/quality/graph-ignore-hygiene.test.js.map +1 -0
- package/dist/checks/quality/index.d.ts +16 -0
- package/dist/checks/quality/index.d.ts.map +1 -0
- package/dist/checks/quality/index.js +16 -0
- package/dist/checks/quality/index.js.map +1 -0
- package/dist/checks/quality/linting/eslint-justifications.d.ts +12 -0
- package/dist/checks/quality/linting/eslint-justifications.d.ts.map +1 -0
- package/dist/checks/quality/linting/eslint-justifications.js +328 -0
- package/dist/checks/quality/linting/eslint-justifications.js.map +1 -0
- package/dist/checks/quality/linting/index.d.ts +4 -0
- package/dist/checks/quality/linting/index.d.ts.map +1 -0
- package/dist/checks/quality/linting/index.js +4 -0
- package/dist/checks/quality/linting/index.js.map +1 -0
- package/dist/checks/quality/linting/semgrep-justifications.d.ts +16 -0
- package/dist/checks/quality/linting/semgrep-justifications.d.ts.map +1 -0
- package/dist/checks/quality/linting/semgrep-justifications.js +229 -0
- package/dist/checks/quality/linting/semgrep-justifications.js.map +1 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.d.ts +12 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.d.ts.map +1 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.js +142 -0
- package/dist/checks/quality/linting/typescript-directive-hygiene.js.map +1 -0
- package/dist/checks/quality/no-compatibility-layer-names.d.ts +13 -0
- package/dist/checks/quality/no-compatibility-layer-names.d.ts.map +1 -0
- package/dist/checks/quality/no-compatibility-layer-names.js +100 -0
- package/dist/checks/quality/no-compatibility-layer-names.js.map +1 -0
- package/dist/checks/quality/no-deprecated-tags.d.ts +11 -0
- package/dist/checks/quality/no-deprecated-tags.d.ts.map +1 -0
- package/dist/checks/quality/no-deprecated-tags.js +76 -0
- package/dist/checks/quality/no-deprecated-tags.js.map +1 -0
- package/dist/checks/quality/no-markdown-references.d.ts +16 -0
- package/dist/checks/quality/no-markdown-references.d.ts.map +1 -0
- package/dist/checks/quality/no-markdown-references.js +145 -0
- package/dist/checks/quality/no-markdown-references.js.map +1 -0
- package/dist/checks/quality/no-raw-regex-on-code.d.ts +9 -0
- package/dist/checks/quality/no-raw-regex-on-code.d.ts.map +1 -0
- package/dist/checks/quality/no-raw-regex-on-code.js +61 -0
- package/dist/checks/quality/no-raw-regex-on-code.js.map +1 -0
- package/dist/checks/quality/no-temporary-workarounds.d.ts +11 -0
- package/dist/checks/quality/no-temporary-workarounds.d.ts.map +1 -0
- package/dist/checks/quality/no-temporary-workarounds.js +69 -0
- package/dist/checks/quality/no-temporary-workarounds.js.map +1 -0
- package/dist/checks/quality/no-window-alert.d.ts +19 -0
- package/dist/checks/quality/no-window-alert.d.ts.map +1 -0
- package/dist/checks/quality/no-window-alert.js +74 -0
- package/dist/checks/quality/no-window-alert.js.map +1 -0
- package/dist/checks/quality/observability/index.d.ts +2 -0
- package/dist/checks/quality/observability/index.d.ts.map +1 -0
- package/dist/checks/quality/observability/index.js +2 -0
- package/dist/checks/quality/observability/index.js.map +1 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.d.ts +15 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.d.ts.map +1 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.js +209 -0
- package/dist/checks/quality/observability/pino-serializer-coverage.js.map +1 -0
- package/dist/checks/quality/patterns/async-state-pattern.d.ts +14 -0
- package/dist/checks/quality/patterns/async-state-pattern.d.ts.map +1 -0
- package/dist/checks/quality/patterns/async-state-pattern.js +80 -0
- package/dist/checks/quality/patterns/async-state-pattern.js.map +1 -0
- package/dist/checks/quality/patterns/index.d.ts +4 -0
- package/dist/checks/quality/patterns/index.d.ts.map +1 -0
- package/dist/checks/quality/patterns/index.js +4 -0
- package/dist/checks/quality/patterns/index.js.map +1 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.d.ts +10 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.d.ts.map +1 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.js +97 -0
- package/dist/checks/quality/patterns/no-non-null-assertions.js.map +1 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.d.ts +16 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.d.ts.map +1 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.js +239 -0
- package/dist/checks/quality/patterns/performance-anti-patterns.js.map +1 -0
- package/dist/checks/resilience/_helpers/config-validation.d.ts +27 -0
- package/dist/checks/resilience/_helpers/config-validation.d.ts.map +1 -0
- package/dist/checks/resilience/_helpers/config-validation.js +61 -0
- package/dist/checks/resilience/_helpers/config-validation.js.map +1 -0
- package/dist/checks/resilience/batch-operations.d.ts +22 -0
- package/dist/checks/resilience/batch-operations.d.ts.map +1 -0
- package/dist/checks/resilience/batch-operations.js +422 -0
- package/dist/checks/resilience/batch-operations.js.map +1 -0
- package/dist/checks/resilience/cache-ttl-validation.d.ts +13 -0
- package/dist/checks/resilience/cache-ttl-validation.d.ts.map +1 -0
- package/dist/checks/resilience/cache-ttl-validation.js +222 -0
- package/dist/checks/resilience/cache-ttl-validation.js.map +1 -0
- package/dist/checks/resilience/catch-clause-safety.d.ts +12 -0
- package/dist/checks/resilience/catch-clause-safety.d.ts.map +1 -0
- package/dist/checks/resilience/catch-clause-safety.js +110 -0
- package/dist/checks/resilience/catch-clause-safety.js.map +1 -0
- package/dist/checks/resilience/dangerous-config-defaults.d.ts +11 -0
- package/dist/checks/resilience/dangerous-config-defaults.d.ts.map +1 -0
- package/dist/checks/resilience/dangerous-config-defaults.js +304 -0
- package/dist/checks/resilience/dangerous-config-defaults.js.map +1 -0
- package/dist/checks/resilience/error-code-registration.d.ts +11 -0
- package/dist/checks/resilience/error-code-registration.d.ts.map +1 -0
- package/dist/checks/resilience/error-code-registration.js +88 -0
- package/dist/checks/resilience/error-code-registration.js.map +1 -0
- package/dist/checks/resilience/event-patterns.d.ts +21 -0
- package/dist/checks/resilience/event-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/event-patterns.js +232 -0
- package/dist/checks/resilience/event-patterns.js.map +1 -0
- package/dist/checks/resilience/exit-code-correctness.d.ts +12 -0
- package/dist/checks/resilience/exit-code-correctness.d.ts.map +1 -0
- package/dist/checks/resilience/exit-code-correctness.js +107 -0
- package/dist/checks/resilience/exit-code-correctness.js.map +1 -0
- package/dist/checks/resilience/index.d.ts +18 -0
- package/dist/checks/resilience/index.d.ts.map +1 -0
- package/dist/checks/resilience/index.js +18 -0
- package/dist/checks/resilience/index.js.map +1 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.d.ts +10 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.d.ts.map +1 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.js +291 -0
- package/dist/checks/resilience/no-hardcoded-timeouts.js.map +1 -0
- package/dist/checks/resilience/no-process-exit-in-finally.d.ts +11 -0
- package/dist/checks/resilience/no-process-exit-in-finally.d.ts.map +1 -0
- package/dist/checks/resilience/no-process-exit-in-finally.js +89 -0
- package/dist/checks/resilience/no-process-exit-in-finally.js.map +1 -0
- package/dist/checks/resilience/readline-cleanup.d.ts +11 -0
- package/dist/checks/resilience/readline-cleanup.d.ts.map +1 -0
- package/dist/checks/resilience/readline-cleanup.js +107 -0
- package/dist/checks/resilience/readline-cleanup.js.map +1 -0
- package/dist/checks/resilience/recovery-patterns.d.ts +25 -0
- package/dist/checks/resilience/recovery-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/recovery-patterns.js +273 -0
- package/dist/checks/resilience/recovery-patterns.js.map +1 -0
- package/dist/checks/resilience/reentrancy-guard.d.ts +12 -0
- package/dist/checks/resilience/reentrancy-guard.d.ts.map +1 -0
- package/dist/checks/resilience/reentrancy-guard.js +86 -0
- package/dist/checks/resilience/reentrancy-guard.js.map +1 -0
- package/dist/checks/resilience/retry-config-validation.d.ts +13 -0
- package/dist/checks/resilience/retry-config-validation.d.ts.map +1 -0
- package/dist/checks/resilience/retry-config-validation.js +159 -0
- package/dist/checks/resilience/retry-config-validation.js.map +1 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.d.ts +25 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.js +68 -0
- package/dist/checks/resilience/sentry/_helpers/sentry.js.map +1 -0
- package/dist/checks/resilience/sentry/index.d.ts +8 -0
- package/dist/checks/resilience/sentry/index.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/index.js +8 -0
- package/dist/checks/resilience/sentry/index.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.js +55 -0
- package/dist/checks/resilience/sentry/sentry-dsn-configured.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.js +51 -0
- package/dist/checks/resilience/sentry/sentry-environment-set.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.js +75 -0
- package/dist/checks/resilience/sentry/sentry-error-boundary.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.d.ts +13 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.js +125 -0
- package/dist/checks/resilience/sentry/sentry-pii-scrubbing.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-release-set.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-release-set.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-release-set.js +51 -0
- package/dist/checks/resilience/sentry/sentry-release-set.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.js +78 -0
- package/dist/checks/resilience/sentry/sentry-sample-rate.js.map +1 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.d.ts +12 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.d.ts.map +1 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.js +83 -0
- package/dist/checks/resilience/sentry/sentry-source-maps.js.map +1 -0
- package/dist/checks/resilience/service-patterns.d.ts +18 -0
- package/dist/checks/resilience/service-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/service-patterns.js +230 -0
- package/dist/checks/resilience/service-patterns.js.map +1 -0
- package/dist/checks/resilience/timer-lifecycle.d.ts +10 -0
- package/dist/checks/resilience/timer-lifecycle.d.ts.map +1 -0
- package/dist/checks/resilience/timer-lifecycle.js +78 -0
- package/dist/checks/resilience/timer-lifecycle.js.map +1 -0
- package/dist/checks/resilience/transaction-patterns.d.ts +21 -0
- package/dist/checks/resilience/transaction-patterns.d.ts.map +1 -0
- package/dist/checks/resilience/transaction-patterns.js +258 -0
- package/dist/checks/resilience/transaction-patterns.js.map +1 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.d.ts +9 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.d.ts.map +1 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.js +37 -0
- package/dist/checks/security/__tests__/no-hardcoded-secrets.test.js.map +1 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.d.ts +2 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.d.ts.map +1 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.js +128 -0
- package/dist/checks/security/__tests__/package-supply-chain-policy.test.js.map +1 -0
- package/dist/checks/security/api-key-rotation.d.ts +10 -0
- package/dist/checks/security/api-key-rotation.d.ts.map +1 -0
- package/dist/checks/security/api-key-rotation.js +186 -0
- package/dist/checks/security/api-key-rotation.js.map +1 -0
- package/dist/checks/security/auth-middleware-coverage.d.ts +11 -0
- package/dist/checks/security/auth-middleware-coverage.d.ts.map +1 -0
- package/dist/checks/security/auth-middleware-coverage.js +210 -0
- package/dist/checks/security/auth-middleware-coverage.js.map +1 -0
- package/dist/checks/security/auth-route-guard.d.ts +12 -0
- package/dist/checks/security/auth-route-guard.d.ts.map +1 -0
- package/dist/checks/security/auth-route-guard.js +70 -0
- package/dist/checks/security/auth-route-guard.js.map +1 -0
- package/dist/checks/security/cors-configuration.d.ts +11 -0
- package/dist/checks/security/cors-configuration.d.ts.map +1 -0
- package/dist/checks/security/cors-configuration.js +126 -0
- package/dist/checks/security/cors-configuration.js.map +1 -0
- package/dist/checks/security/csp-headers.d.ts +11 -0
- package/dist/checks/security/csp-headers.d.ts.map +1 -0
- package/dist/checks/security/csp-headers.js +192 -0
- package/dist/checks/security/csp-headers.js.map +1 -0
- package/dist/checks/security/dependency-vulnerability-audit.d.ts +15 -0
- package/dist/checks/security/dependency-vulnerability-audit.d.ts.map +1 -0
- package/dist/checks/security/dependency-vulnerability-audit.js +184 -0
- package/dist/checks/security/dependency-vulnerability-audit.js.map +1 -0
- package/dist/checks/security/env-secret-exposure.d.ts +11 -0
- package/dist/checks/security/env-secret-exposure.d.ts.map +1 -0
- package/dist/checks/security/env-secret-exposure.js +127 -0
- package/dist/checks/security/env-secret-exposure.js.map +1 -0
- package/dist/checks/security/hasura-production-config.d.ts +11 -0
- package/dist/checks/security/hasura-production-config.d.ts.map +1 -0
- package/dist/checks/security/hasura-production-config.js +122 -0
- package/dist/checks/security/hasura-production-config.js.map +1 -0
- package/dist/checks/security/index.d.ts +17 -0
- package/dist/checks/security/index.d.ts.map +1 -0
- package/dist/checks/security/index.js +17 -0
- package/dist/checks/security/index.js.map +1 -0
- package/dist/checks/security/jwt-validation.d.ts +11 -0
- package/dist/checks/security/jwt-validation.d.ts.map +1 -0
- package/dist/checks/security/jwt-validation.js +294 -0
- package/dist/checks/security/jwt-validation.js.map +1 -0
- package/dist/checks/security/no-eval.d.ts +16 -0
- package/dist/checks/security/no-eval.d.ts.map +1 -0
- package/dist/checks/security/no-eval.js +83 -0
- package/dist/checks/security/no-eval.js.map +1 -0
- package/dist/checks/security/no-hardcoded-secrets.d.ts +28 -0
- package/dist/checks/security/no-hardcoded-secrets.d.ts.map +1 -0
- package/dist/checks/security/no-hardcoded-secrets.js +209 -0
- package/dist/checks/security/no-hardcoded-secrets.js.map +1 -0
- package/dist/checks/security/package-supply-chain-policy.d.ts +12 -0
- package/dist/checks/security/package-supply-chain-policy.d.ts.map +1 -0
- package/dist/checks/security/package-supply-chain-policy.js +534 -0
- package/dist/checks/security/package-supply-chain-policy.js.map +1 -0
- package/dist/checks/security/rate-limit-coverage.d.ts +10 -0
- package/dist/checks/security/rate-limit-coverage.d.ts.map +1 -0
- package/dist/checks/security/rate-limit-coverage.js +143 -0
- package/dist/checks/security/rate-limit-coverage.js.map +1 -0
- package/dist/checks/security/semgrep-scan.d.ts +13 -0
- package/dist/checks/security/semgrep-scan.d.ts.map +1 -0
- package/dist/checks/security/semgrep-scan.js +86 -0
- package/dist/checks/security/semgrep-scan.js.map +1 -0
- package/dist/checks/security/use-centralized-crypto.d.ts +11 -0
- package/dist/checks/security/use-centralized-crypto.d.ts.map +1 -0
- package/dist/checks/security/use-centralized-crypto.js +129 -0
- package/dist/checks/security/use-centralized-crypto.js.map +1 -0
- package/dist/checks/security/webhook-signature-verification.d.ts +10 -0
- package/dist/checks/security/webhook-signature-verification.d.ts.map +1 -0
- package/dist/checks/security/webhook-signature-verification.js +183 -0
- package/dist/checks/security/webhook-signature-verification.js.map +1 -0
- package/dist/checks/testing/index.d.ts +6 -0
- package/dist/checks/testing/index.d.ts.map +1 -0
- package/dist/checks/testing/index.js +6 -0
- package/dist/checks/testing/index.js.map +1 -0
- package/dist/checks/testing/no-skipped-tests.d.ts +40 -0
- package/dist/checks/testing/no-skipped-tests.d.ts.map +1 -0
- package/dist/checks/testing/no-skipped-tests.js +174 -0
- package/dist/checks/testing/no-skipped-tests.js.map +1 -0
- package/dist/checks/testing/no-stub-tests.d.ts +11 -0
- package/dist/checks/testing/no-stub-tests.d.ts.map +1 -0
- package/dist/checks/testing/no-stub-tests.js +103 -0
- package/dist/checks/testing/no-stub-tests.js.map +1 -0
- package/dist/checks/testing/test-convention-consistency.d.ts +14 -0
- package/dist/checks/testing/test-convention-consistency.d.ts.map +1 -0
- package/dist/checks/testing/test-convention-consistency.js +93 -0
- package/dist/checks/testing/test-convention-consistency.js.map +1 -0
- package/dist/checks/testing/test-file-naming.d.ts +13 -0
- package/dist/checks/testing/test-file-naming.d.ts.map +1 -0
- package/dist/checks/testing/test-file-naming.js +218 -0
- package/dist/checks/testing/test-file-naming.js.map +1 -0
- package/dist/checks/testing/test-file-pairing.d.ts +13 -0
- package/dist/checks/testing/test-file-pairing.d.ts.map +1 -0
- package/dist/checks/testing/test-file-pairing.js +274 -0
- package/dist/checks/testing/test-file-pairing.js.map +1 -0
- package/dist/display/architecture.d.ts +9 -0
- package/dist/display/architecture.d.ts.map +1 -0
- package/dist/display/architecture.js +29 -0
- package/dist/display/architecture.js.map +1 -0
- package/dist/display/index.d.ts +20 -0
- package/dist/display/index.d.ts.map +1 -0
- package/dist/display/index.js +30 -0
- package/dist/display/index.js.map +1 -0
- package/dist/display/quality.d.ts +7 -0
- package/dist/display/quality.d.ts.map +1 -0
- package/dist/display/quality.js +34 -0
- package/dist/display/quality.js.map +1 -0
- package/dist/display/resilience.d.ts +7 -0
- package/dist/display/resilience.d.ts.map +1 -0
- package/dist/display/resilience.js +36 -0
- package/dist/display/resilience.js.map +1 -0
- package/dist/display/security-testing.d.ts +9 -0
- package/dist/display/security-testing.d.ts.map +1 -0
- package/dist/display/security-testing.js +31 -0
- package/dist/display/security-testing.js.map +1 -0
- package/dist/display/types.d.ts +6 -0
- package/dist/display/types.d.ts.map +1 -0
- package/dist/display/types.js +6 -0
- package/dist/display/types.js.map +1 -0
- package/dist/index.d.ts +19 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +21 -0
- package/dist/index.js.map +1 -0
- package/package.json +52 -0
|
@@ -0,0 +1,427 @@
|
|
|
1
|
+
// @fitness-ignore-file fitness-check-standards -- Dockerfile check scans non-standard file types that do not map to a fileTypes extension array
|
|
2
|
+
// @fitness-ignore-file file-length-limit -- Complex module with tightly coupled logic; refactoring would risk breaking changes
|
|
3
|
+
/**
|
|
4
|
+
* @fileoverview Docker best practices fitness check
|
|
5
|
+
* @invariants
|
|
6
|
+
* - Security rules (non-root user, no secrets, production-dependencies) are errors (blocking)
|
|
7
|
+
* - Efficiency rules (layer ordering, multi-stage, no-build-tools-in-runner) are warnings (advisory)
|
|
8
|
+
* - All Dockerfiles in the repository are scanned
|
|
9
|
+
*/
|
|
10
|
+
import * as path from 'node:path';
|
|
11
|
+
import { defineCheck } from '@opensip-cli/fitness';
|
|
12
|
+
// =============================================================================
|
|
13
|
+
// PRE-COMPILED REGEX PATTERNS (for safety and performance)
|
|
14
|
+
// =============================================================================
|
|
15
|
+
// Maximum line length for regex matching to prevent DoS
|
|
16
|
+
const MAX_DOCKERFILE_LINE_LENGTH = 2000;
|
|
17
|
+
/**
|
|
18
|
+
* Safely truncate a line for regex matching.
|
|
19
|
+
*/
|
|
20
|
+
function safeDockerLine(line) {
|
|
21
|
+
/* v8 ignore next -- defensive: real Dockerfile lines never exceed 2000 chars */
|
|
22
|
+
return line.length > MAX_DOCKERFILE_LINE_LENGTH
|
|
23
|
+
? line.slice(0, MAX_DOCKERFILE_LINE_LENGTH)
|
|
24
|
+
: line;
|
|
25
|
+
}
|
|
26
|
+
// Secret patterns - using word character classes with bounded quantifiers
|
|
27
|
+
// Using \w for alphanumeric plus underscore, adding dash separately with explicit bounds
|
|
28
|
+
const SECRET_API_KEY_PATTERN = /(?:API_KEY|APIKEY|API_SECRET|SECRET_KEY|AUTH_TOKEN|ACCESS_TOKEN)\s{0,10}=\s{0,10}['"]?[\w-]{16,200}/i;
|
|
29
|
+
const SECRET_AWS_PATTERN = /(?:AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY)\s{0,10}=\s{0,10}['"]?[\w/+=]{20,200}/i;
|
|
30
|
+
const SECRET_DB_URL_PATTERN = /(?:DATABASE_URL|DB_URL|MONGO_URL|REDIS_URL)\s{0,10}=\s{0,10}['"]?[a-z]{1,20}:\/\/[^:]{1,100}:[^@]{1,100}@/i;
|
|
31
|
+
const SECRET_PASSWORD_PATTERN = /(?:PASSWORD|PASSWD|DB_PASSWORD|ADMIN_PASSWORD)\s{0,10}=\s{0,10}['"]?[^\s'"]{8,200}/i;
|
|
32
|
+
const SECRET_PRIVATE_KEY_PATTERN = /-----BEGIN\s{1,10}(?:RSA\s{1,10})?PRIVATE\s{1,10}KEY-----/;
|
|
33
|
+
const SECRET_JWT_PATTERN = /JWT_SECRET\s{0,10}=\s{0,10}['"]?[\w-]{32,500}/i;
|
|
34
|
+
const SECRET_PATTERNS = [
|
|
35
|
+
SECRET_API_KEY_PATTERN,
|
|
36
|
+
SECRET_AWS_PATTERN,
|
|
37
|
+
SECRET_DB_URL_PATTERN,
|
|
38
|
+
SECRET_PASSWORD_PATTERN,
|
|
39
|
+
SECRET_PRIVATE_KEY_PATTERN,
|
|
40
|
+
SECRET_JWT_PATTERN,
|
|
41
|
+
];
|
|
42
|
+
// Package manager patterns - pre-compiled with bounded quantifiers
|
|
43
|
+
const PNPM_INSTALL_PATTERN = /pnpm\s{1,10}install(?!\s{1,10}--frozen-lockfile)/;
|
|
44
|
+
const NPM_INSTALL_PATTERN = /npm\s{1,10}(?:install|ci)(?!\s{1,10}-g)(?!\s{1,10}--global)(?!\s{1,10}--ci)(?!\s{1,10}--frozen-lockfile)/;
|
|
45
|
+
const YARN_INSTALL_PATTERN = /yarn\s{1,10}install(?!\s{1,10}--frozen-lockfile)(?!\s{1,10}--immutable)/;
|
|
46
|
+
const PACKAGE_MANAGER_PATTERNS = [
|
|
47
|
+
{ pattern: PNPM_INSTALL_PATTERN, manager: 'pnpm', fix: '--frozen-lockfile' },
|
|
48
|
+
{ pattern: NPM_INSTALL_PATTERN, manager: 'npm', fix: '--ci or npm ci' },
|
|
49
|
+
{
|
|
50
|
+
pattern: YARN_INSTALL_PATTERN,
|
|
51
|
+
manager: 'yarn',
|
|
52
|
+
fix: '--frozen-lockfile or --immutable',
|
|
53
|
+
},
|
|
54
|
+
];
|
|
55
|
+
// Cache mount patterns - pre-compiled with bounded quantifiers
|
|
56
|
+
const PKG_INSTALL_PATTERN = /(?:pnpm|npm|yarn)\s{1,10}install(?!\s{1,10}-g)(?!\s{1,10}--global)/;
|
|
57
|
+
// Production dependency patterns - pre-compiled with bounded quantifiers
|
|
58
|
+
const PROD_DEPS_FLAG_PATTERN = /(?:--prod\b|--production\b)/;
|
|
59
|
+
// Other patterns - pre-compiled with bounded quantifiers
|
|
60
|
+
const APT_UPGRADE_PATTERN = /apt-get\s{1,10}upgrade/i;
|
|
61
|
+
const COPY_PATTERN = /COPY\s{1,10}(?:--from=\S{1,100}\s{1,10})?(\S{1,500})/i;
|
|
62
|
+
const PACKAGE_FILE_COPY_PATTERN = /COPY\s{1,10}[^\n]{0,500}(?:package\.json|pnpm-lock|yarn\.lock|package-lock)/i;
|
|
63
|
+
const NODE_MODULES_FROM_STAGE_PATTERN = /COPY\s{1,10}--from=\S{1,100}[^\n]{0,500}node_modules/i;
|
|
64
|
+
const FROM_IMAGE_PATTERN = /FROM\s{1,10}(\S{1,200})/i;
|
|
65
|
+
const FROM_STAGE_PATTERN = /\bAS\s{1,10}(\w{1,100})/i;
|
|
66
|
+
const USER_PATTERN = /USER\s{1,10}(\S{1,100})/i;
|
|
67
|
+
const NODE_ENV_PROD_PATTERN = /NODE_ENV\s{0,10}=\s{0,10}production/i;
|
|
68
|
+
const RUNNER_STAGE_NAMES = new Set(['runner', 'production', 'prod', 'final', 'runtime']);
|
|
69
|
+
// =============================================================================
|
|
70
|
+
// ANALYSIS FUNCTIONS
|
|
71
|
+
// =============================================================================
|
|
72
|
+
function checkForSecrets(line, lineNum, file, filePath) {
|
|
73
|
+
const safeLine = safeDockerLine(line);
|
|
74
|
+
for (const pattern of SECRET_PATTERNS) {
|
|
75
|
+
if (pattern.test(safeLine)) {
|
|
76
|
+
return {
|
|
77
|
+
file,
|
|
78
|
+
filePath,
|
|
79
|
+
line: lineNum,
|
|
80
|
+
rule: 'no-hardcoded-secrets',
|
|
81
|
+
message: 'Hardcoded secret detected in Dockerfile',
|
|
82
|
+
severity: 'error',
|
|
83
|
+
suggestion: 'Use build arguments, runtime environment variables, or a secrets manager instead',
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
return null;
|
|
88
|
+
}
|
|
89
|
+
function checkRunCommand(line, lineNum, file, filePath) {
|
|
90
|
+
const violations = [];
|
|
91
|
+
let hasFrozenLockfileViolation = false;
|
|
92
|
+
const safeLine = safeDockerLine(line);
|
|
93
|
+
for (const { pattern, manager, fix } of PACKAGE_MANAGER_PATTERNS) {
|
|
94
|
+
if (pattern.test(safeLine)) {
|
|
95
|
+
hasFrozenLockfileViolation = true;
|
|
96
|
+
violations.push({
|
|
97
|
+
file,
|
|
98
|
+
filePath,
|
|
99
|
+
line: lineNum,
|
|
100
|
+
rule: 'frozen-lockfile',
|
|
101
|
+
message: `${manager} install without frozen lockfile flag`,
|
|
102
|
+
severity: 'error',
|
|
103
|
+
suggestion: `Add ${fix} to ensure reproducible builds`,
|
|
104
|
+
});
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
if (APT_UPGRADE_PATTERN.test(safeLine)) {
|
|
108
|
+
violations.push({
|
|
109
|
+
file,
|
|
110
|
+
filePath,
|
|
111
|
+
line: lineNum,
|
|
112
|
+
rule: 'no-apt-upgrade',
|
|
113
|
+
message: 'apt-get upgrade makes builds non-reproducible',
|
|
114
|
+
severity: 'warning',
|
|
115
|
+
suggestion: 'Pin specific package versions instead of upgrading all packages',
|
|
116
|
+
});
|
|
117
|
+
}
|
|
118
|
+
return { violations, hasFrozenLockfileViolation };
|
|
119
|
+
}
|
|
120
|
+
function checkCopyOrder(options) {
|
|
121
|
+
const { line, lineNum, file, filePath, lines, lastFromLine, lineIndex } = options;
|
|
122
|
+
/* v8 ignore next 4 -- defensive: callers always pass an array */
|
|
123
|
+
// Validate array parameter
|
|
124
|
+
if (!Array.isArray(lines)) {
|
|
125
|
+
return null;
|
|
126
|
+
}
|
|
127
|
+
const safeLine = safeDockerLine(line);
|
|
128
|
+
const copyMatch = COPY_PATTERN.exec(safeLine);
|
|
129
|
+
if (copyMatch?.[1] !== '.' && copyMatch?.[1] !== './')
|
|
130
|
+
return null;
|
|
131
|
+
if (safeLine.includes('--from='))
|
|
132
|
+
return null;
|
|
133
|
+
const stageLines = lines.slice(lastFromLine, lineIndex);
|
|
134
|
+
const hasPackageFileCopy = stageLines.some((l) => PACKAGE_FILE_COPY_PATTERN.test(safeDockerLine(l)));
|
|
135
|
+
const hasNodeModulesFromStage = stageLines.some((l) => NODE_MODULES_FROM_STAGE_PATTERN.test(safeDockerLine(l)));
|
|
136
|
+
if (!hasPackageFileCopy && !hasNodeModulesFromStage) {
|
|
137
|
+
return {
|
|
138
|
+
file,
|
|
139
|
+
filePath,
|
|
140
|
+
line: lineNum,
|
|
141
|
+
rule: 'copy-order',
|
|
142
|
+
message: 'COPY . before copying dependency files',
|
|
143
|
+
severity: 'warning',
|
|
144
|
+
suggestion: 'Copy package.json and lockfile first, run install, then copy source for better layer caching',
|
|
145
|
+
};
|
|
146
|
+
}
|
|
147
|
+
return null;
|
|
148
|
+
}
|
|
149
|
+
function checkCacheMount(line, lineNum, file, filePath) {
|
|
150
|
+
const safeLine = safeDockerLine(line);
|
|
151
|
+
if (PKG_INSTALL_PATTERN.test(safeLine) && !safeLine.includes('--mount=type=cache')) {
|
|
152
|
+
return {
|
|
153
|
+
file,
|
|
154
|
+
filePath,
|
|
155
|
+
line: lineNum,
|
|
156
|
+
rule: 'cache-mount',
|
|
157
|
+
message: 'Package install without BuildKit cache mount',
|
|
158
|
+
severity: 'warning',
|
|
159
|
+
suggestion: 'Add --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store to cache the package store across builds',
|
|
160
|
+
};
|
|
161
|
+
}
|
|
162
|
+
return null;
|
|
163
|
+
}
|
|
164
|
+
/* v8 ignore start -- Dockerfile multi-stage state-machine; many edge-case branches covered by integration */
|
|
165
|
+
function processFromLine(line, lineNum, state) {
|
|
166
|
+
state.fromCount++;
|
|
167
|
+
state.lastFromLine = lineNum;
|
|
168
|
+
const safeLine = safeDockerLine(line);
|
|
169
|
+
const match = FROM_IMAGE_PATTERN.exec(safeLine);
|
|
170
|
+
const baseImage = match?.[1] ?? null;
|
|
171
|
+
if (baseImage)
|
|
172
|
+
state.baseImages.push(baseImage);
|
|
173
|
+
const stageMatch = FROM_STAGE_PATTERN.exec(safeLine);
|
|
174
|
+
const stageName = stageMatch?.[1]?.toLowerCase() ?? null;
|
|
175
|
+
// Determine if this is the runner stage
|
|
176
|
+
if (stageName) {
|
|
177
|
+
state.isInRunnerStage = RUNNER_STAGE_NAMES.has(stageName);
|
|
178
|
+
}
|
|
179
|
+
else if (state.fromCount > 1) {
|
|
180
|
+
state.isInRunnerStage = true;
|
|
181
|
+
}
|
|
182
|
+
if (state.isInRunnerStage) {
|
|
183
|
+
state.runnerStageBaseImage = baseImage;
|
|
184
|
+
state.runnerFromLine = lineNum;
|
|
185
|
+
// Check if runner's base image references a previously defined build stage
|
|
186
|
+
if (baseImage) {
|
|
187
|
+
const baseImageLower = baseImage.toLowerCase();
|
|
188
|
+
state.runnerInheritsBuildStage = state.stageNames.includes(baseImageLower);
|
|
189
|
+
}
|
|
190
|
+
}
|
|
191
|
+
// Record stage name after checks (to avoid self-matching)
|
|
192
|
+
if (stageName) {
|
|
193
|
+
state.stageNames.push(stageName);
|
|
194
|
+
}
|
|
195
|
+
}
|
|
196
|
+
function addMissingBestPracticeViolations(file, filePath, lineCount, state) {
|
|
197
|
+
const violations = [];
|
|
198
|
+
const hasMultiStage = state.fromCount >= 2;
|
|
199
|
+
if (!hasMultiStage && state.fromCount > 0) {
|
|
200
|
+
violations.push({
|
|
201
|
+
file,
|
|
202
|
+
filePath,
|
|
203
|
+
line: 1,
|
|
204
|
+
rule: 'multi-stage-build',
|
|
205
|
+
message: 'Dockerfile does not use multi-stage build',
|
|
206
|
+
severity: 'error',
|
|
207
|
+
suggestion: 'Use separate stages for building and running to reduce image size and attack surface',
|
|
208
|
+
});
|
|
209
|
+
}
|
|
210
|
+
if (!state.hasNonRootUser && state.fromCount > 0) {
|
|
211
|
+
violations.push({
|
|
212
|
+
file,
|
|
213
|
+
filePath,
|
|
214
|
+
line: lineCount,
|
|
215
|
+
rule: 'non-root-user',
|
|
216
|
+
message: 'Dockerfile does not specify a non-root user',
|
|
217
|
+
severity: 'error',
|
|
218
|
+
suggestion: String.raw `Add USER directive with a non-root user: RUN addgroup --system app && adduser --system --ingroup app app\nUSER app`,
|
|
219
|
+
});
|
|
220
|
+
}
|
|
221
|
+
if (!state.hasHealthcheck && state.fromCount > 0) {
|
|
222
|
+
violations.push({
|
|
223
|
+
file,
|
|
224
|
+
filePath,
|
|
225
|
+
line: lineCount,
|
|
226
|
+
rule: 'healthcheck',
|
|
227
|
+
message: 'Dockerfile does not include a HEALTHCHECK instruction',
|
|
228
|
+
severity: 'warning',
|
|
229
|
+
suggestion: 'Add HEALTHCHECK to help orchestrators verify container health',
|
|
230
|
+
});
|
|
231
|
+
}
|
|
232
|
+
// Check NODE_ENV only if runner stage uses Node.js
|
|
233
|
+
const runnerUsesNode = state.runnerStageBaseImage?.includes('node') ?? false;
|
|
234
|
+
if (runnerUsesNode && !state.hasNodeEnvProduction) {
|
|
235
|
+
violations.push({
|
|
236
|
+
file,
|
|
237
|
+
filePath,
|
|
238
|
+
line: lineCount,
|
|
239
|
+
rule: 'node-env-production',
|
|
240
|
+
message: 'NODE_ENV=production not set in runtime stage',
|
|
241
|
+
severity: 'warning',
|
|
242
|
+
suggestion: 'Add ENV NODE_ENV=production in the runner stage for Node.js optimizations',
|
|
243
|
+
});
|
|
244
|
+
}
|
|
245
|
+
// Check if runner copies node_modules without production-only dependency resolution
|
|
246
|
+
if (state.runnerCopiesNodeModules && !state.hasProductionDepsFlag) {
|
|
247
|
+
violations.push({
|
|
248
|
+
file,
|
|
249
|
+
filePath,
|
|
250
|
+
line: state.runnerNodeModulesLine,
|
|
251
|
+
rule: 'production-dependencies',
|
|
252
|
+
message: 'Runtime image copies node_modules without production-only dependency resolution',
|
|
253
|
+
severity: 'error',
|
|
254
|
+
suggestion: 'Use "pnpm deploy --prod" to create a production bundle, or add --prod to install command to exclude devDependencies from the runtime image',
|
|
255
|
+
});
|
|
256
|
+
}
|
|
257
|
+
// Check if runner stage inherits from a build stage (includes build tools)
|
|
258
|
+
if (state.runnerInheritsBuildStage) {
|
|
259
|
+
violations.push({
|
|
260
|
+
file,
|
|
261
|
+
filePath,
|
|
262
|
+
line: state.runnerFromLine,
|
|
263
|
+
rule: 'no-build-tools-in-runner',
|
|
264
|
+
message: 'Runtime stage inherits from a build stage that may include build tools (pnpm, corepack, etc.)',
|
|
265
|
+
severity: 'warning',
|
|
266
|
+
suggestion: 'Use a clean base image (e.g., node:20-alpine) for the runtime stage instead of inheriting from a build stage',
|
|
267
|
+
});
|
|
268
|
+
}
|
|
269
|
+
return violations;
|
|
270
|
+
}
|
|
271
|
+
/* v8 ignore stop */
|
|
272
|
+
function analyzeDockerfile(content, filePath, file) {
|
|
273
|
+
const lines = content.split('\n');
|
|
274
|
+
const violations = [];
|
|
275
|
+
const state = {
|
|
276
|
+
hasNonRootUser: false,
|
|
277
|
+
hasHealthcheck: false,
|
|
278
|
+
hasFrozenLockfile: true,
|
|
279
|
+
hasNodeEnvProduction: false,
|
|
280
|
+
hasProductionDepsFlag: false,
|
|
281
|
+
baseImages: [],
|
|
282
|
+
fromCount: 0,
|
|
283
|
+
isInRunnerStage: false,
|
|
284
|
+
runnerStageBaseImage: null,
|
|
285
|
+
lastFromLine: 0,
|
|
286
|
+
stageNames: [],
|
|
287
|
+
runnerCopiesNodeModules: false,
|
|
288
|
+
runnerNodeModulesLine: 0,
|
|
289
|
+
runnerInheritsBuildStage: false,
|
|
290
|
+
runnerFromLine: 0,
|
|
291
|
+
};
|
|
292
|
+
for (let i = 0; i < lines.length; i++) {
|
|
293
|
+
processDockerfileLine({
|
|
294
|
+
line: lines[i],
|
|
295
|
+
index: i,
|
|
296
|
+
lines,
|
|
297
|
+
state,
|
|
298
|
+
violations,
|
|
299
|
+
file,
|
|
300
|
+
filePath,
|
|
301
|
+
});
|
|
302
|
+
}
|
|
303
|
+
// Add violations for missing best practices
|
|
304
|
+
violations.push(...addMissingBestPracticeViolations(file, filePath, lines.length, state));
|
|
305
|
+
return violations;
|
|
306
|
+
}
|
|
307
|
+
function processUserLine(trimmedLine, state) {
|
|
308
|
+
const safeLine = safeDockerLine(trimmedLine);
|
|
309
|
+
const userMatch = USER_PATTERN.exec(safeLine);
|
|
310
|
+
if (userMatch?.[1] && userMatch[1] !== 'root') {
|
|
311
|
+
state.hasNonRootUser = true;
|
|
312
|
+
}
|
|
313
|
+
}
|
|
314
|
+
function processRunLine(options) {
|
|
315
|
+
const { trimmedLine, lineNum, file, filePath, state, violations } = options;
|
|
316
|
+
const runResult = checkRunCommand(trimmedLine, lineNum, file, filePath);
|
|
317
|
+
violations.push(...runResult.violations);
|
|
318
|
+
if (runResult.hasFrozenLockfileViolation)
|
|
319
|
+
state.hasFrozenLockfile = false;
|
|
320
|
+
const cacheMountViolation = checkCacheMount(trimmedLine, lineNum, file, filePath);
|
|
321
|
+
if (cacheMountViolation)
|
|
322
|
+
violations.push(cacheMountViolation);
|
|
323
|
+
if (PROD_DEPS_FLAG_PATTERN.test(safeDockerLine(trimmedLine))) {
|
|
324
|
+
state.hasProductionDepsFlag = true;
|
|
325
|
+
}
|
|
326
|
+
}
|
|
327
|
+
function processCopyLine(options) {
|
|
328
|
+
const { trimmedLine, lineNum, index, lines, file, filePath, state, violations } = options;
|
|
329
|
+
const copyViolation = checkCopyOrder({
|
|
330
|
+
line: trimmedLine,
|
|
331
|
+
lineNum,
|
|
332
|
+
file,
|
|
333
|
+
filePath,
|
|
334
|
+
lines,
|
|
335
|
+
lastFromLine: state.lastFromLine,
|
|
336
|
+
lineIndex: index,
|
|
337
|
+
});
|
|
338
|
+
if (copyViolation)
|
|
339
|
+
violations.push(copyViolation);
|
|
340
|
+
if (state.isInRunnerStage && NODE_MODULES_FROM_STAGE_PATTERN.test(safeDockerLine(trimmedLine))) {
|
|
341
|
+
state.runnerCopiesNodeModules = true;
|
|
342
|
+
state.runnerNodeModulesLine = lineNum;
|
|
343
|
+
}
|
|
344
|
+
}
|
|
345
|
+
function processDockerfileLine(options) {
|
|
346
|
+
const { line, index, lines, state, violations, file, filePath } = options;
|
|
347
|
+
/* v8 ignore next -- defensive: lines.entries() never yields undefined */
|
|
348
|
+
const trimmedLine = line?.trim() ?? '';
|
|
349
|
+
if (!trimmedLine || trimmedLine.startsWith('#'))
|
|
350
|
+
return;
|
|
351
|
+
const upperLine = trimmedLine.toUpperCase();
|
|
352
|
+
const lineNum = index + 1;
|
|
353
|
+
if (upperLine.startsWith('FROM ')) {
|
|
354
|
+
processFromLine(trimmedLine, lineNum, state);
|
|
355
|
+
}
|
|
356
|
+
if (upperLine.startsWith('USER ')) {
|
|
357
|
+
processUserLine(trimmedLine, state);
|
|
358
|
+
}
|
|
359
|
+
if (upperLine.startsWith('HEALTHCHECK ')) {
|
|
360
|
+
state.hasHealthcheck = true;
|
|
361
|
+
}
|
|
362
|
+
if (NODE_ENV_PROD_PATTERN.test(safeDockerLine(trimmedLine))) {
|
|
363
|
+
state.hasNodeEnvProduction = true;
|
|
364
|
+
}
|
|
365
|
+
const secretViolation = checkForSecrets(trimmedLine, lineNum, file, filePath);
|
|
366
|
+
if (secretViolation)
|
|
367
|
+
violations.push(secretViolation);
|
|
368
|
+
if (upperLine.startsWith('RUN ')) {
|
|
369
|
+
processRunLine({ trimmedLine, lineNum, file, filePath, state, violations });
|
|
370
|
+
}
|
|
371
|
+
if (upperLine.startsWith('COPY ')) {
|
|
372
|
+
processCopyLine({ trimmedLine, lineNum, index, lines, file, filePath, state, violations });
|
|
373
|
+
}
|
|
374
|
+
}
|
|
375
|
+
// =============================================================================
|
|
376
|
+
// CHECK DEFINITION
|
|
377
|
+
// =============================================================================
|
|
378
|
+
/**
|
|
379
|
+
* Check: architecture/docker-best-practices
|
|
380
|
+
*
|
|
381
|
+
* Validates Dockerfiles follow security and efficiency best practices:
|
|
382
|
+
* - Multi-stage builds
|
|
383
|
+
* - Non-root user
|
|
384
|
+
* - No hardcoded secrets
|
|
385
|
+
* - Frozen lockfiles for package managers
|
|
386
|
+
* - HEALTHCHECK instruction
|
|
387
|
+
* - Proper COPY order for layer caching
|
|
388
|
+
* - Production-only dependencies in runtime image (no devDependencies)
|
|
389
|
+
* - No build tools (pnpm, corepack) inherited in runtime stage
|
|
390
|
+
* - BuildKit cache mounts for package install commands
|
|
391
|
+
*/
|
|
392
|
+
export const dockerBestPractices = defineCheck({
|
|
393
|
+
id: '9870251d-6d3c-49b7-a680-864bc892b19e',
|
|
394
|
+
slug: 'docker-best-practices',
|
|
395
|
+
disabled: true,
|
|
396
|
+
scope: { languages: ['json', 'typescript', 'yaml'], concerns: ['config'] },
|
|
397
|
+
contentFilter: 'raw',
|
|
398
|
+
confidence: 'medium',
|
|
399
|
+
description: 'Validate Dockerfiles follow security and efficiency best practices',
|
|
400
|
+
longDescription: `**Purpose:** Enforces security and efficiency best practices in Dockerfiles across the repository.
|
|
401
|
+
|
|
402
|
+
**Detects:**
|
|
403
|
+
- Hardcoded secrets (API keys, AWS credentials, passwords, JWT secrets, private keys)
|
|
404
|
+
- Missing multi-stage builds, missing non-root \`USER\` directive, missing \`HEALTHCHECK\`
|
|
405
|
+
- Package installs without \`--frozen-lockfile\` (pnpm/npm/yarn)
|
|
406
|
+
- \`COPY .\` before dependency file copy (poor layer caching)
|
|
407
|
+
- Missing BuildKit cache mounts on package installs
|
|
408
|
+
- Runtime stage inheriting from build stage or copying \`node_modules\` without \`--prod\`
|
|
409
|
+
|
|
410
|
+
**Why it matters:** Prevents security vulnerabilities (running as root, leaked secrets), non-reproducible builds, and bloated production images.
|
|
411
|
+
|
|
412
|
+
**Scope:** General best practice. Analyzes each file individually.`,
|
|
413
|
+
tags: ['docker', 'security', 'best-practices', 'architecture'],
|
|
414
|
+
analyze(content, filePath) {
|
|
415
|
+
const file = path.relative(process.cwd(), filePath);
|
|
416
|
+
const violations = analyzeDockerfile(content, filePath, file);
|
|
417
|
+
return violations.map((violation) => ({
|
|
418
|
+
line: violation.line,
|
|
419
|
+
message: violation.message + (violation.suggestion ? ` (${violation.suggestion})` : ''),
|
|
420
|
+
severity: violation.severity,
|
|
421
|
+
suggestion: violation.suggestion ?? 'See Docker best practices documentation.',
|
|
422
|
+
match: violation.rule,
|
|
423
|
+
type: violation.rule,
|
|
424
|
+
}));
|
|
425
|
+
},
|
|
426
|
+
});
|
|
427
|
+
//# sourceMappingURL=docker-best-practices.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"docker-best-practices.js","sourceRoot":"","sources":["../../../src/checks/architecture/docker-best-practices.ts"],"names":[],"mappings":"AAAA,gJAAgJ;AAChJ,+HAA+H;AAC/H;;;;;;GAMG;AAEH,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,WAAW,EAAuB,MAAM,sBAAsB,CAAC;AAkCxE,gFAAgF;AAChF,2DAA2D;AAC3D,gFAAgF;AAEhF,wDAAwD;AACxD,MAAM,0BAA0B,GAAG,IAAI,CAAC;AAExC;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY;IAClC,gFAAgF;IAChF,OAAO,IAAI,CAAC,MAAM,GAAG,0BAA0B;QAC7C,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,0BAA0B,CAAC;QAC3C,CAAC,CAAC,IAAI,CAAC;AACX,CAAC;AAED,0EAA0E;AAC1E,yFAAyF;AACzF,MAAM,sBAAsB,GAC1B,sGAAsG,CAAC;AACzG,MAAM,kBAAkB,GACtB,mFAAmF,CAAC;AACtF,MAAM,qBAAqB,GACzB,4GAA4G,CAAC;AAC/G,MAAM,uBAAuB,GAC3B,qFAAqF,CAAC;AACxF,MAAM,0BAA0B,GAAG,2DAA2D,CAAC;AAC/F,MAAM,kBAAkB,GAAG,gDAAgD,CAAC;AAE5E,MAAM,eAAe,GAAG;IACtB,sBAAsB;IACtB,kBAAkB;IAClB,qBAAqB;IACrB,uBAAuB;IACvB,0BAA0B;IAC1B,kBAAkB;CACnB,CAAC;AAEF,mEAAmE;AACnE,MAAM,oBAAoB,GAAG,kDAAkD,CAAC;AAChF,MAAM,mBAAmB,GACvB,0GAA0G,CAAC;AAC7G,MAAM,oBAAoB,GACxB,yEAAyE,CAAC;AAQ5E,MAAM,wBAAwB,GAA4B;IACxD,EAAE,OAAO,EAAE,oBAAoB,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,mBAAmB,EAAE;IAC5E,EAAE,OAAO,EAAE,mBAAmB,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,gBAAgB,EAAE;IACvE;QACE,OAAO,EAAE,oBAAoB;QAC7B,OAAO,EAAE,MAAM;QACf,GAAG,EAAE,kCAAkC;KACxC;CACF,CAAC;AAEF,+DAA+D;AAC/D,MAAM,mBAAmB,GAAG,oEAAoE,CAAC;AAEjG,yEAAyE;AACzE,MAAM,sBAAsB,GAAG,6BAA6B,CAAC;AAE7D,yDAAyD;AACzD,MAAM,mBAAmB,GAAG,yBAAyB,CAAC;AACtD,MAAM,YAAY,GAAG,uDAAuD,CAAC;AAC7E,MAAM,yBAAyB,GAC7B,8EAA8E,CAAC;AACjF,MAAM,+BAA+B,GAAG,uDAAuD,CAAC;AAChG,MAAM,kBAAkB,GAAG,0BAA0B,CAAC;AACtD,MAAM,kBAAkB,GAAG,0BAA0B,CAAC;AACtD,MAAM,YAAY,GAAG,0BAA0B,CAAC;AAChD,MAAM,qBAAqB,GAAG,sCAAsC,CAAC;AAErE,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC;AAEzF,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,SAAS,eAAe,CACtB,IAAY,EACZ,OAAe,EACf,IAAY,EACZ,QAAgB;IAEhB,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3B,OAAO;gBACL,IAAI;gBACJ,QAAQ;gBACR,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,yCAAyC;gBAClD,QAAQ,EAAE,OAAO;gBACjB,UAAU,EACR,kFAAkF;aACrF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CACtB,IAAY,EACZ,OAAe,EACf,IAAY,EACZ,QAAgB;IAEhB,MAAM,UAAU,GAA0B,EAAE,CAAC;IAC7C,IAAI,0BAA0B,GAAG,KAAK,CAAC;IACvC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IAEtC,KAAK,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,wBAAwB,EAAE,CAAC;QACjE,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3B,0BAA0B,GAAG,IAAI,CAAC;YAClC,UAAU,CAAC,IAAI,CAAC;gBACd,IAAI;gBACJ,QAAQ;gBACR,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,GAAG,OAAO,uCAAuC;gBAC1D,QAAQ,EAAE,OAAO;gBACjB,UAAU,EAAE,OAAO,GAAG,gCAAgC;aACvD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE,+CAA+C;YACxD,QAAQ,EAAE,SAAS;YACnB,UAAU,EAAE,iEAAiE;SAC9E,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,0BAA0B,EAAE,CAAC;AACpD,CAAC;AAYD,SAAS,cAAc,CAAC,OAA8B;IACpD,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IAElF,iEAAiE;IACjE,2BAA2B;IAC3B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACnE,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAE9C,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAExD,MAAM,kBAAkB,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/C,yBAAyB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAClD,CAAC;IAEF,MAAM,uBAAuB,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACpD,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CACxD,CAAC;IAEF,IAAI,CAAC,kBAAkB,IAAI,CAAC,uBAAuB,EAAE,CAAC;QACpD,OAAO;YACL,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,wCAAwC;YACjD,QAAQ,EAAE,SAAS;YACnB,UAAU,EACR,8FAA8F;SACjG,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,eAAe,CACtB,IAAY,EACZ,OAAe,EACf,IAAY,EACZ,QAAgB;IAEhB,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;QACnF,OAAO;YACL,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,aAAa;YACnB,OAAO,EAAE,8CAA8C;YACvD,QAAQ,EAAE,SAAS;YACnB,UAAU,EACR,8GAA8G;SACjH,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6GAA6G;AAC7G,SAAS,eAAe,CAAC,IAAY,EAAE,OAAe,EAAE,KAAoB;IAC1E,KAAK,CAAC,SAAS,EAAE,CAAC;IAClB,KAAK,CAAC,YAAY,GAAG,OAAO,CAAC;IAC7B,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IACrC,IAAI,SAAS;QAAE,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAEhD,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,IAAI,CAAC;IAEzD,wCAAwC;IACxC,IAAI,SAAS,EAAE,CAAC;QACd,KAAK,CAAC,eAAe,GAAG,kBAAkB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC5D,CAAC;SAAM,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,eAAe,GAAG,IAAI,CAAC;IAC/B,CAAC;IAED,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QAC1B,KAAK,CAAC,oBAAoB,GAAG,SAAS,CAAC;QACvC,KAAK,CAAC,cAAc,GAAG,OAAO,CAAC;QAE/B,2EAA2E;QAC3E,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,cAAc,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;YAC/C,KAAK,CAAC,wBAAwB,GAAG,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,IAAI,SAAS,EAAE,CAAC;QACd,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACnC,CAAC;AACH,CAAC;AAED,SAAS,gCAAgC,CACvC,IAAY,EACZ,QAAgB,EAChB,SAAiB,EACjB,KAAoB;IAEpB,MAAM,UAAU,GAA0B,EAAE,CAAC;IAC7C,MAAM,aAAa,GAAG,KAAK,CAAC,SAAS,IAAI,CAAC,CAAC;IAE3C,IAAI,CAAC,aAAa,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QAC1C,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,CAAC;YACP,IAAI,EAAE,mBAAmB;YACzB,OAAO,EAAE,2CAA2C;YACpD,QAAQ,EAAE,OAAO;YACjB,UAAU,EACR,sFAAsF;SACzF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACjD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,6CAA6C;YACtD,QAAQ,EAAE,OAAO;YACjB,UAAU,EAAE,MAAM,CAAC,GAAG,CAAA,oHAAoH;SAC3I,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACjD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,aAAa;YACnB,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,SAAS;YACnB,UAAU,EAAE,+DAA+D;SAC5E,CAAC,CAAC;IACL,CAAC;IAED,mDAAmD;IACnD,MAAM,cAAc,GAAG,KAAK,CAAC,oBAAoB,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC;IAC7E,IAAI,cAAc,IAAI,CAAC,KAAK,CAAC,oBAAoB,EAAE,CAAC;QAClD,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,8CAA8C;YACvD,QAAQ,EAAE,SAAS;YACnB,UAAU,EAAE,2EAA2E;SACxF,CAAC,CAAC;IACL,CAAC;IAED,oFAAoF;IACpF,IAAI,KAAK,CAAC,uBAAuB,IAAI,CAAC,KAAK,CAAC,qBAAqB,EAAE,CAAC;QAClE,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,KAAK,CAAC,qBAAqB;YACjC,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,iFAAiF;YAC1F,QAAQ,EAAE,OAAO;YACjB,UAAU,EACR,4IAA4I;SAC/I,CAAC,CAAC;IACL,CAAC;IAED,2EAA2E;IAC3E,IAAI,KAAK,CAAC,wBAAwB,EAAE,CAAC;QACnC,UAAU,CAAC,IAAI,CAAC;YACd,IAAI;YACJ,QAAQ;YACR,IAAI,EAAE,KAAK,CAAC,cAAc;YAC1B,IAAI,EAAE,0BAA0B;YAChC,OAAO,EACL,+FAA+F;YACjG,QAAQ,EAAE,SAAS;YACnB,UAAU,EACR,8GAA8G;SACjH,CAAC,CAAC;IACL,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AACD,oBAAoB;AAEpB,SAAS,iBAAiB,CAAC,OAAe,EAAE,QAAgB,EAAE,IAAY;IACxE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,UAAU,GAA0B,EAAE,CAAC;IAE7C,MAAM,KAAK,GAAkB;QAC3B,cAAc,EAAE,KAAK;QACrB,cAAc,EAAE,KAAK;QACrB,iBAAiB,EAAE,IAAI;QACvB,oBAAoB,EAAE,KAAK;QAC3B,qBAAqB,EAAE,KAAK;QAC5B,UAAU,EAAE,EAAE;QACd,SAAS,EAAE,CAAC;QACZ,eAAe,EAAE,KAAK;QACtB,oBAAoB,EAAE,IAAI;QAC1B,YAAY,EAAE,CAAC;QACf,UAAU,EAAE,EAAE;QACd,uBAAuB,EAAE,KAAK;QAC9B,qBAAqB,EAAE,CAAC;QACxB,wBAAwB,EAAE,KAAK;QAC/B,cAAc,EAAE,CAAC;KAClB,CAAC;IAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,qBAAqB,CAAC;YACpB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,KAAK,EAAE,CAAC;YACR,KAAK;YACL,KAAK;YACL,UAAU;YACV,IAAI;YACJ,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,UAAU,CAAC,IAAI,CAAC,GAAG,gCAAgC,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;IAE1F,OAAO,UAAU,CAAC;AACpB,CAAC;AAYD,SAAS,eAAe,CAAC,WAAmB,EAAE,KAAoB;IAChE,MAAM,QAAQ,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QAC9C,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC;IAC9B,CAAC;AACH,CAAC;AAWD,SAAS,cAAc,CAAC,OAA8B;IACpD,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAC5E,MAAM,SAAS,GAAG,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IACxE,UAAU,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,SAAS,CAAC,0BAA0B;QAAE,KAAK,CAAC,iBAAiB,GAAG,KAAK,CAAC;IAE1E,MAAM,mBAAmB,GAAG,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IAClF,IAAI,mBAAmB;QAAE,UAAU,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAE9D,IAAI,sBAAsB,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QAC7D,KAAK,CAAC,qBAAqB,GAAG,IAAI,CAAC;IACrC,CAAC;AACH,CAAC;AAaD,SAAS,eAAe,CAAC,OAA+B;IACtD,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAC1F,MAAM,aAAa,GAAG,cAAc,CAAC;QACnC,IAAI,EAAE,WAAW;QACjB,OAAO;QACP,IAAI;QACJ,QAAQ;QACR,KAAK;QACL,YAAY,EAAE,KAAK,CAAC,YAAY;QAChC,SAAS,EAAE,KAAK;KACjB,CAAC,CAAC;IACH,IAAI,aAAa;QAAE,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAElD,IAAI,KAAK,CAAC,eAAe,IAAI,+BAA+B,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QAC/F,KAAK,CAAC,uBAAuB,GAAG,IAAI,CAAC;QACrC,KAAK,CAAC,qBAAqB,GAAG,OAAO,CAAC;IACxC,CAAC;AACH,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAqC;IAClE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAC1E,yEAAyE;IACzE,MAAM,WAAW,GAAG,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO;IAExD,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAG,KAAK,GAAG,CAAC,CAAC;IAE1B,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC/C,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,eAAe,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACzC,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC;IAC9B,CAAC;IAED,IAAI,qBAAqB,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QAC5D,KAAK,CAAC,oBAAoB,GAAG,IAAI,CAAC;IACpC,CAAC;IAED,MAAM,eAAe,GAAG,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC9E,IAAI,eAAe;QAAE,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAEtD,IAAI,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QACjC,cAAc,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,eAAe,CAAC,EAAE,WAAW,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;IAC7F,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAAC;IAC7C,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,uBAAuB;IAC7B,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE;IAC1E,aAAa,EAAE,KAAK;IAEpB,UAAU,EAAE,QAAQ;IACpB,WAAW,EAAE,oEAAoE;IACjF,eAAe,EAAE;;;;;;;;;;;;mEAYgD;IACjE,IAAI,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,cAAc,CAAC;IAE9D,OAAO,CAAC,OAAe,EAAE,QAAgB;QACvC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,iBAAiB,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAE9D,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACpC,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,OAAO,EAAE,SAAS,CAAC,OAAO,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACvF,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,UAAU,EAAE,SAAS,CAAC,UAAU,IAAI,0CAA0C;YAC9E,KAAK,EAAE,SAAS,CAAC,IAAI;YACrB,IAAI,EAAE,SAAS,CAAC,IAAI;SACrB,CAAC,CAAC,CAAC;IACN,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Docker .dockerignore validation fitness check
|
|
3
|
+
* @invariants
|
|
4
|
+
* - Every Dockerfile directory must have a .dockerignore file
|
|
5
|
+
* - .dockerignore must include .git pattern
|
|
6
|
+
* - Node-based Dockerfiles must also include node_modules pattern
|
|
7
|
+
*/
|
|
8
|
+
/**
|
|
9
|
+
* Check: architecture/docker-ignore-validation
|
|
10
|
+
*
|
|
11
|
+
* Validates that every Dockerfile has a corresponding .dockerignore with required patterns:
|
|
12
|
+
* 1. .git — always required
|
|
13
|
+
* 2. node_modules — required for Node-based Dockerfiles
|
|
14
|
+
*
|
|
15
|
+
* @throws {Error} When a .dockerignore file exceeds 10MB
|
|
16
|
+
*/
|
|
17
|
+
export declare const dockerIgnoreValidation: import("@opensip-cli/fitness").Check;
|
|
18
|
+
//# sourceMappingURL=docker-ignore-validation.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"docker-ignore-validation.d.ts","sourceRoot":"","sources":["../../../src/checks/architecture/docker-ignore-validation.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AAsCH;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,sCA+EjC,CAAC"}
|
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
// @fitness-ignore-file batch-operation-limits -- iterates bounded collections (config entries, registry items, or small analysis results)
|
|
2
|
+
// @fitness-ignore-file fitness-check-standards -- Uses fs for .dockerignore reading, not source file content
|
|
3
|
+
/**
|
|
4
|
+
* @fileoverview Docker .dockerignore validation fitness check
|
|
5
|
+
* @invariants
|
|
6
|
+
* - Every Dockerfile directory must have a .dockerignore file
|
|
7
|
+
* - .dockerignore must include .git pattern
|
|
8
|
+
* - Node-based Dockerfiles must also include node_modules pattern
|
|
9
|
+
*/
|
|
10
|
+
import * as fs from 'node:fs';
|
|
11
|
+
import * as path from 'node:path';
|
|
12
|
+
import { defineCheck } from '@opensip-cli/fitness';
|
|
13
|
+
// =============================================================================
|
|
14
|
+
// REGEX PATTERNS
|
|
15
|
+
// =============================================================================
|
|
16
|
+
/** Matches FROM node:XX or FROM node:XX-alpine etc. */
|
|
17
|
+
const FROM_NODE_PATTERN = /^FROM\s+node:/im;
|
|
18
|
+
// =============================================================================
|
|
19
|
+
// HELPERS
|
|
20
|
+
// =============================================================================
|
|
21
|
+
/**
|
|
22
|
+
* Check if a .dockerignore file contains a required pattern.
|
|
23
|
+
* Matches exact lines (trimmed), not substrings.
|
|
24
|
+
*/
|
|
25
|
+
function hasPattern(dockerignoreContent, pattern) {
|
|
26
|
+
const lines = dockerignoreContent.split('\n').map((l) => l.trim());
|
|
27
|
+
return lines.includes(pattern);
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Determine if a Dockerfile is Node-based by checking for FROM node: directives.
|
|
31
|
+
*/
|
|
32
|
+
function isNodeDockerfile(content) {
|
|
33
|
+
return FROM_NODE_PATTERN.test(content);
|
|
34
|
+
}
|
|
35
|
+
// =============================================================================
|
|
36
|
+
// CHECK DEFINITION
|
|
37
|
+
// =============================================================================
|
|
38
|
+
/**
|
|
39
|
+
* Check: architecture/docker-ignore-validation
|
|
40
|
+
*
|
|
41
|
+
* Validates that every Dockerfile has a corresponding .dockerignore with required patterns:
|
|
42
|
+
* 1. .git — always required
|
|
43
|
+
* 2. node_modules — required for Node-based Dockerfiles
|
|
44
|
+
*
|
|
45
|
+
* @throws {Error} When a .dockerignore file exceeds 10MB
|
|
46
|
+
*/
|
|
47
|
+
export const dockerIgnoreValidation = defineCheck({
|
|
48
|
+
id: '70123fbb-c538-4186-a82e-fdb5e53d52d7',
|
|
49
|
+
slug: 'docker-ignore-validation',
|
|
50
|
+
disabled: true,
|
|
51
|
+
scope: { languages: ['json', 'typescript', 'yaml'], concerns: ['config'] },
|
|
52
|
+
contentFilter: 'raw',
|
|
53
|
+
confidence: 'medium',
|
|
54
|
+
description: 'Validate .dockerignore files exist alongside Dockerfiles with required patterns',
|
|
55
|
+
longDescription: `**Purpose:** Ensures every Dockerfile has a corresponding \`.dockerignore\` with required exclusion patterns to keep build contexts small and secure.
|
|
56
|
+
|
|
57
|
+
**Detects:**
|
|
58
|
+
- Missing \`.dockerignore\` file in the same directory as a Dockerfile
|
|
59
|
+
- \`.dockerignore\` missing the \`.git\` pattern (always required)
|
|
60
|
+
- \`.dockerignore\` missing the \`node_modules\` pattern for Node-based Dockerfiles (detected via \`FROM node:\` directives)
|
|
61
|
+
|
|
62
|
+
**Why it matters:** Without proper \`.dockerignore\` files, Docker build contexts include unnecessary files (.git history, node_modules), causing slow builds and potential secret leaks.
|
|
63
|
+
|
|
64
|
+
**Scope:** General best practice. Cross-file analysis via \`analyzeAll\`.`,
|
|
65
|
+
tags: ['docker', 'dockerignore', 'architecture'],
|
|
66
|
+
/** @throws {Error} When file system operations fail */
|
|
67
|
+
async analyzeAll(files) {
|
|
68
|
+
const violations = [];
|
|
69
|
+
for (const filePath of files.paths) {
|
|
70
|
+
const dockerfileDir = path.dirname(filePath);
|
|
71
|
+
const dockerignorePath = path.join(dockerfileDir, '.dockerignore');
|
|
72
|
+
const relPath = path.relative(process.cwd(), filePath);
|
|
73
|
+
// Check if .dockerignore exists
|
|
74
|
+
if (!fs.existsSync(dockerignorePath)) {
|
|
75
|
+
violations.push({
|
|
76
|
+
line: 1,
|
|
77
|
+
filePath,
|
|
78
|
+
message: `No .dockerignore found alongside ${relPath}`,
|
|
79
|
+
severity: 'warning',
|
|
80
|
+
suggestion: `Create a .dockerignore file in ${path.relative(process.cwd(), dockerfileDir)} with at least .git pattern`,
|
|
81
|
+
type: 'missing-dockerignore',
|
|
82
|
+
});
|
|
83
|
+
continue;
|
|
84
|
+
}
|
|
85
|
+
// Read .dockerignore and validate required patterns
|
|
86
|
+
const dockerignoreStats = fs.statSync(dockerignorePath);
|
|
87
|
+
if (dockerignoreStats.size > 10_000_000)
|
|
88
|
+
throw new Error(`File too large: ${dockerignorePath}`);
|
|
89
|
+
const dockerignoreContent = fs.readFileSync(dockerignorePath, 'utf8');
|
|
90
|
+
const content = await files.read(filePath);
|
|
91
|
+
// .git is always required
|
|
92
|
+
if (!hasPattern(dockerignoreContent, '.git')) {
|
|
93
|
+
violations.push({
|
|
94
|
+
line: 1,
|
|
95
|
+
filePath,
|
|
96
|
+
message: `.dockerignore for ${relPath} is missing required pattern: .git`,
|
|
97
|
+
severity: 'warning',
|
|
98
|
+
suggestion: 'Add .git to .dockerignore to exclude version control data from build context',
|
|
99
|
+
type: 'missing-pattern',
|
|
100
|
+
});
|
|
101
|
+
}
|
|
102
|
+
// node_modules is required for Node-based Dockerfiles
|
|
103
|
+
if (isNodeDockerfile(content) && !hasPattern(dockerignoreContent, 'node_modules')) {
|
|
104
|
+
violations.push({
|
|
105
|
+
line: 1,
|
|
106
|
+
filePath,
|
|
107
|
+
message: `.dockerignore for ${relPath} is missing required pattern: node_modules`,
|
|
108
|
+
severity: 'warning',
|
|
109
|
+
suggestion: 'Add node_modules to .dockerignore to exclude local dependencies from build context',
|
|
110
|
+
type: 'missing-pattern',
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
return violations;
|
|
115
|
+
},
|
|
116
|
+
});
|
|
117
|
+
//# sourceMappingURL=docker-ignore-validation.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"docker-ignore-validation.js","sourceRoot":"","sources":["../../../src/checks/architecture/docker-ignore-validation.ts"],"names":[],"mappings":"AAAA,0IAA0I;AAC1I,6GAA6G;AAC7G;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,WAAW,EAA0C,MAAM,sBAAsB,CAAC;AAE3F,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF,uDAAuD;AACvD,MAAM,iBAAiB,GAAG,iBAAiB,CAAC;AAE5C,gFAAgF;AAChF,UAAU;AACV,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,UAAU,CAAC,mBAA2B,EAAE,OAAe;IAC9D,MAAM,KAAK,GAAG,mBAAmB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACnE,OAAO,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAe;IACvC,OAAO,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACzC,CAAC;AAED,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAG,WAAW,CAAC;IAChD,EAAE,EAAE,sCAAsC;IAC1C,IAAI,EAAE,0BAA0B;IAChC,QAAQ,EAAE,IAAI;IACd,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,MAAM,CAAC,EAAE,QAAQ,EAAE,CAAC,QAAQ,CAAC,EAAE;IAC1E,aAAa,EAAE,KAAK;IAEpB,UAAU,EAAE,QAAQ;IACpB,WAAW,EAAE,iFAAiF;IAC9F,eAAe,EAAE;;;;;;;;;0EASuD;IACxE,IAAI,EAAE,CAAC,QAAQ,EAAE,cAAc,EAAE,cAAc,CAAC;IAEhD,uDAAuD;IACvD,KAAK,CAAC,UAAU,CAAC,KAAmB;QAClC,MAAM,UAAU,GAAqB,EAAE,CAAC;QAExC,KAAK,MAAM,QAAQ,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YACnC,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC7C,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,eAAe,CAAC,CAAC;YACnE,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;YAEvD,gCAAgC;YAChC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACrC,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,CAAC;oBACP,QAAQ;oBACR,OAAO,EAAE,oCAAoC,OAAO,EAAE;oBACtD,QAAQ,EAAE,SAAS;oBACnB,UAAU,EAAE,kCAAkC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC,6BAA6B;oBACtH,IAAI,EAAE,sBAAsB;iBAC7B,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,oDAAoD;YACpD,MAAM,iBAAiB,GAAG,EAAE,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;YACxD,IAAI,iBAAiB,CAAC,IAAI,GAAG,UAAU;gBACrC,MAAM,IAAI,KAAK,CAAC,mBAAmB,gBAAgB,EAAE,CAAC,CAAC;YACzD,MAAM,mBAAmB,GAAG,EAAE,CAAC,YAAY,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;YACtE,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAE3C,0BAA0B;YAC1B,IAAI,CAAC,UAAU,CAAC,mBAAmB,EAAE,MAAM,CAAC,EAAE,CAAC;gBAC7C,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,CAAC;oBACP,QAAQ;oBACR,OAAO,EAAE,qBAAqB,OAAO,oCAAoC;oBACzE,QAAQ,EAAE,SAAS;oBACnB,UAAU,EACR,8EAA8E;oBAChF,IAAI,EAAE,iBAAiB;iBACxB,CAAC,CAAC;YACL,CAAC;YAED,sDAAsD;YACtD,IAAI,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,mBAAmB,EAAE,cAAc,CAAC,EAAE,CAAC;gBAClF,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,CAAC;oBACP,QAAQ;oBACR,OAAO,EAAE,qBAAqB,OAAO,4CAA4C;oBACjF,QAAQ,EAAE,SAAS;oBACnB,UAAU,EACR,oFAAoF;oBACtF,IAAI,EAAE,iBAAiB;iBACxB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Docker version sync fitness check
|
|
3
|
+
* @invariants
|
|
4
|
+
* - Node major version in FROM directives must match engines.node from root package.json
|
|
5
|
+
* - pnpm version should be derived dynamically from package.json packageManager field
|
|
6
|
+
* - Hardcoded pnpm versions that don't match packageManager are errors
|
|
7
|
+
*/
|
|
8
|
+
/**
|
|
9
|
+
* Check: architecture/docker-version-sync
|
|
10
|
+
*
|
|
11
|
+
* Validates that Dockerfiles keep Node and pnpm versions in sync with package.json:
|
|
12
|
+
* 1. FROM node:XX major version matches engines.node
|
|
13
|
+
* 2. pnpm version is either dynamically derived (preferred) or hardcoded consistently
|
|
14
|
+
*/
|
|
15
|
+
export declare const dockerVersionSync: import("@opensip-cli/fitness").Check;
|
|
16
|
+
//# sourceMappingURL=docker-version-sync.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"docker-version-sync.d.ts","sourceRoot":"","sources":["../../../src/checks/architecture/docker-version-sync.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AA8LH;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB,sCAkD5B,CAAC"}
|