- DL rules implemented natively by tally
- Additional rules covered by equivalent BuildKit or tally rules
- Full Hadolint rule documentation: github.com/hadolint/hadolint/wiki
Implemented rules
Rules natively implemented by tally. Auto-fixable rules are marked with 🔧.Enabling off-by-default rules
DL3022 and DL3026 are off by default and must be enabled in.tally.toml:
trusted-registries automatically enables the rule with severity = "warning". Set severity explicitly to use a different level.
Covered by BuildKit and tally rules
These Hadolint rules are superseded by an equivalent BuildKit or tally rule. You do not need to enable both — tally’s rule provides the same or better coverage.Not planned
The following rules are intentionally not implemented. tally promotes BuildKit cache mounts viatally/prefer-package-cache-mounts as the modern
alternative to manual cache-cleanup patterns.
Cache-cleanup instructions add build-time overhead and produce smaller layers at the cost of slower rebuilds. BuildKit cache mounts
(
RUN --mount=type=cache) solve the same problem more efficiently by keeping package caches on the host between builds. See
tally/prefer-package-cache-mounts for details.
DL3057: HEALTHCHECK instruction missing (enhanced)
tally’s implementation of DL3057 goes beyond Hadolint’s static check with smart suppression and an optional registry-backed resolution path.Smart suppression (static)
The rule is automatically suppressed when aHEALTHCHECK would not be beneficial:
- Serverless base images — AWS Lambda (
public.ecr.aws/lambda/*,amazon/aws-lambda-*), Azure Functions (mcr.microsoft.com/azure-functions/*), and OpenFaaS watchdog images. These platforms manage function lifecycle externally. - Serverless framework entrypoints — When the final stage’s
CMDorENTRYPOINTinvokes a known FaaS wrapper (e.g.functions-frameworkfor Google Cloud Functions), including the commonexecprefix pattern. - Shell-only containers — When the final stage’s
CMDorENTRYPOINTis a bare interactive shell (bash,sh, etc.), the container is not a long-running service.
Registry-backed resolution (--slow-checks)
HEALTHCHECK is inherited from base images at runtime. If a base image defines HEALTHCHECK CMD ..., child images inherit it automatically. tally
can resolve this by inspecting the base image registry.
When
--slow-checks is off, only the fast static check runs.
Migrating from Hadolint
tally is a drop-in replacement for common Hadolint workflows. Existing inline suppression comments work without modification:ignore=DL3006 and ignore=hadolint/DL3006 are valid. You can also use tally’s own directive format:
Shell directive
When using base images with non-POSIX shells (e.g., Windows images with PowerShell), declare the shell to disable POSIX-specific rules:powershell, pwsh, cmd / cmd.exe.
When a non-POSIX shell is declared, tally automatically disables shell command analysis rules (e.g., DL3004 sudo detection, DL4001 wget/curl
detection) and future ShellCheck-based rules.
Both # hadolint shell=<shell> and # tally shell=<shell> formats are supported.
ShellCheck rules (SC rules)
ShellCheck rules analyze shell scripts withinRUN commands. Implementation has started with native Go reimplementations that use tally’s fix and
reporting infrastructure.
Additional SC1xxx (syntax/parsing) and SC2xxx (logic/correctness) rules are planned.