Skip to main content
tally supports 22/22 BuildKit checks. 5 are captured directly from BuildKit’s parser; 17 are reimplemented as static rules so they work without running Docker/BuildKit.
BuildKit checks come from Docker’s official build checks reference. tally integrates them in two ways:
  • Implemented by tally — BuildKit normally runs these during LLB conversion (i.e., when actually building). tally reimplements them as pure static checks so they catch issues without a Docker daemon.
  • Captured from BuildKit parser — These are emitted by BuildKit during Dockerfile parsing and forwarded directly to tally’s diagnostic pipeline.
All 11 auto-fixable rules are marked with 🔧. Run tally lint --fix to apply safe fixes automatically.

Implemented by tally

These 17 checks correspond to BuildKit’s LLB-conversion checks. tally runs them statically, so you get full coverage without Docker or BuildKit installed.
All commands within the Dockerfile should use the same casing (either upper or lower).Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: consistent-instruction-casing
Attempting to COPY a file that is excluded by .dockerignore.Severity: Warning (enabled by default) · Auto-fixable: NoDocker docs: copy-ignored-file
Stage names should be unique.Severity: Error (enabled by default) · Auto-fixable: NoDocker docs: duplicate-stage-name
IP address and host-port mapping should not be used in EXPOSE. This will become an error in a future release.Severity: Warning (enabled by default) · Auto-fixable: NoDocker docs: expose-invalid-format
Protocol in EXPOSE instruction should be lowercase.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: expose-proto-casing
FROM --platform flag should not use a constant value.Severity: Off by default · Auto-fixable: NoDocker docs: from-platform-flag-const-disallowed
Base image platform does not match expected target platform.Severity: Off by default · Auto-fixable: No
Default value for a global ARG results in an empty or invalid base image name.Severity: Error (enabled by default) · Auto-fixable: NoDocker docs: invalid-default-arg-in-from
JSON arguments are recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals.Severity: Info (enabled by default) · Auto-fixable: YesDocker docs: json-args-recommended
Legacy key/value format with whitespace separator should not be used.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: legacy-key-value-format
Multiple instructions of the same type should not be used in the same stage.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: multiple-instructions-disallowed
Setting --platform to the predefined $TARGETPLATFORM in FROM is redundant as it is the default behavior.Severity: Warning (enabled by default) · Auto-fixable: NoDocker docs: redundant-target-platform
Reserved words should not be used as stage names.Severity: Error (enabled by default) · Auto-fixable: NoDocker docs: reserved-stage-name
Sensitive data should not be used in the ARG or ENV commands.Severity: Warning (enabled by default) · Auto-fixable: NoDocker docs: secrets-used-in-arg-or-env
FROM command must use declared ARGs.Severity: Warning (enabled by default) · Auto-fixable: NoDocker docs: undefined-arg-in-from
Variables should be defined before their use.Severity: Warning (enabled by default) · Auto-fixable: NoDocker docs: undefined-var
Relative WORKDIR without a prior absolute WORKDIR can have unexpected results if the base image changes.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: workdir-relative-path

Captured from BuildKit parser

These 5 checks are emitted by BuildKit during Dockerfile parsing. tally captures them directly and includes them in its diagnostic output alongside statically implemented rules.
The as keyword should match the case of the from keyword.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: from-as-casing
Comments for build stages or arguments should follow the format: # <arg/stage name> <description>. If this is not intended to be a description comment, add an empty line or comment between the instruction and the comment.Severity: Warning · Default: Off (experimental) · Auto-fixable: YesDocker docs: invalid-definition-description
The MAINTAINER instruction is deprecated; use a label instead to define an image author.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: maintainer-deprecated
Empty continuation lines will become errors in a future release.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: no-empty-continuation
Stage names should be lowercase.Severity: Warning (enabled by default) · Auto-fixable: YesDocker docs: stage-name-casing