Quick tips
- Use
--fail-levelto control which severities fail CI (for example, fail onwarningbut not onstyle). - Use
--excludeto skip generated or vendor trees. - Commit a
.tally.tomlto keep CI and local runs consistent. - Use
--format github-actionsfor inline PR annotations on GitHub. - Use
--format sarifto upload results to GitHub Code Scanning or Azure DevOps. - Lint
docker-bake.hclorcompose.yamldirectly when those files define the real build.
- GitHub Actions
- GitLab CI
- Pre-commit
Basic lint step
Add tally to any workflow that touches Dockerfiles:github-actions format emits ::warning and ::error annotations that GitHub renders inline in the PR diff.SARIF upload to Code Scanning
Upload results to GitHub Code Scanning for a persistent view of findings across commits:Use
--fail-level none when uploading SARIF so the step doesn’t fail before the upload runs. Code Scanning will surface the findings separately.Matrix strategy for multiple Dockerfiles
Lint different Dockerfiles in parallel using a matrix:Lint Bake or Compose in CI
If your CI builds images through Bake or Compose, lint the same entrypoint rather than rediscovering Dockerfiles:--fix in orchestrator CI jobs. Orchestrator runs can represent multiple builds of the same Dockerfile, so fixes are only available when
linting a Dockerfile directly. See Build invocations for the full behavior.
Output format recommendations
Related guides
- Configuration — set
fail-level,format, andexcludein.tally.toml - Output formats — full reference for all output formats
- Exit codes — how to handle each exit code in scripts