droast — Dockerfile linter

Version updated for https://github.com/immanuwell/dockerfile-roast to version 1.0.1.

  • This action is used across all versions by ? repositories.

Action Type

This is a Composite action.

Go to the GitHub Marketplace to find the latest changes.

Action Summary

The droast GitHub Action is a Dockerfile linter designed to identify and flag bad practices in Dockerfiles, providing feedback in a direct and opinionated manner. It automates the process of reviewing Dockerfiles for issues like insecure configurations, inefficiencies, and anti-patterns, and integrates seamlessly into CI pipelines by annotating pull request diffs with findings. Key capabilities include severity filtering, rule customization, multiple output formats (e.g., GitHub annotations, JSON), and the option to suppress non-critical errors.

What’s Changed

1.0.1 release.

what’s in the box

  • 63+ lint rules covering base images, security, package managers, layer hygiene, instruction quality, service quality, and language-specific checks (Python, Node)
  • colored terminal output with snarky roast messages
  • json, github actions, and compact output formats
  • --list-rules, --skip, --min-severity, --no-roast flags
  • shell completions for bash, zsh, and fish (droast completion <shell>)

install

download the binary below, make it executable, and put it on your PATH:

chmod +x droast-linux-x86_64
mv droast-linux-x86_64 ~/.local/bin/droast

or build from source:

cargo install dockerfile-roast
image image

github action

add droast to any repo in 5 lines:

- uses: immanuwell/dockerfile-roast@1.0.0

full example (.github/workflows/lint.yml):

name: Lint Dockerfiles

on: [push, pull_request]

jobs:
  droast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: immanuwell/dockerfile-roast@1.0.0

findings show up as inline annotations on the PR diff. no configuration required.

available inputs (all optional):

inputdefaultdescription
filesDockerfilefile(s) or glob to lint
min-severityinfoinfo, warning, or error
skipcomma-separated rule IDs to ignore
no-roastfalsetechnical output only, no jokes
no-failfalseadvisory mode — never blocks the build
image-taglatestpin to a specific droast release, e.g. 1.0.0

example with options:

- uses: immanuwell/dockerfile-roast@1.0.0
  with:
    files: '**/Dockerfile'
    min-severity: warning
    skip: DF012,DF022
    no-fail: true        # report findings but don't block the PR