Skip to main content
tally is designed to run fast in CI without requiring Docker Desktop or a daemon. It produces output in formats that native CI systems understand natively, including GitHub Actions annotations and SARIF for code scanning.

Quick tips

  • Use --fail-level to control which severities fail CI (for example, fail on warning but not on style).
  • Use --exclude to skip generated or vendor trees.
  • Commit a .tally.toml to keep CI and local runs consistent.
  • Use --format github-actions for inline PR annotations on GitHub.
  • Use --format sarif to upload results to GitHub Code Scanning or Azure DevOps.
  • Lint docker-bake.hcl or compose.yaml directly when those files define the real build.

Basic lint step

Add tally to any workflow that touches Dockerfiles:
The github-actions format emits ::warning and ::error annotations that GitHub renders inline in the PR diff.

SARIF upload to Code Scanning

Upload results to GitHub Code Scanning for a persistent view of findings across commits:
Use --fail-level none when uploading SARIF so the step doesn’t fail before the upload runs. Code Scanning will surface the findings separately.

Matrix strategy for multiple Dockerfiles

Lint different Dockerfiles in parallel using a matrix:

Lint Bake or Compose in CI

If your CI builds images through Bake or Compose, lint the same entrypoint rather than rediscovering Dockerfiles:
Select only the build that changed:
Do not use --fix in orchestrator CI jobs. Orchestrator runs can represent multiple builds of the same Dockerfile, so fixes are only available when linting a Dockerfile directly. See Build invocations for the full behavior.

Output format recommendations