Skip to main content
Hadolint is a widely-used Dockerfile linter. tally implements its rules natively — so you get Hadolint-compatible checks without installing a separate tool — and adds enhancements like auto-fix and smart suppression.
  • DL rules implemented natively by tally
  • Additional rules covered by equivalent BuildKit or tally rules
  • Full Hadolint rule documentation: github.com/hadolint/hadolint/wiki
tally supports the # hadolint ignore=DLxxxx directive format natively, so existing Hadolint suppressions work without any changes. The # hadolint shell=powershell directive is also supported.

Implemented rules

Rules natively implemented by tally. Auto-fixable rules are marked with 🔧.

Enabling off-by-default rules

DL3022 and DL3026 are off by default and must be enabled in .tally.toml:
Providing trusted-registries automatically enables the rule with severity = "warning". Set severity explicitly to use a different level.

Covered by BuildKit and tally rules

These Hadolint rules are superseded by an equivalent BuildKit or tally rule. You do not need to enable both — tally’s rule provides the same or better coverage.

Not planned

The following rules are intentionally not implemented. tally promotes BuildKit cache mounts via tally/prefer-package-cache-mounts as the modern alternative to manual cache-cleanup patterns. Cache-cleanup instructions add build-time overhead and produce smaller layers at the cost of slower rebuilds. BuildKit cache mounts (RUN --mount=type=cache) solve the same problem more efficiently by keeping package caches on the host between builds. See tally/prefer-package-cache-mounts for details.

DL3057: HEALTHCHECK instruction missing (enhanced)

tally’s implementation of DL3057 goes beyond Hadolint’s static check with smart suppression and an optional registry-backed resolution path.

Smart suppression (static)

The rule is automatically suppressed when a HEALTHCHECK would not be beneficial:
  • Serverless base images — AWS Lambda (public.ecr.aws/lambda/*, amazon/aws-lambda-*), Azure Functions (mcr.microsoft.com/azure-functions/*), and OpenFaaS watchdog images. These platforms manage function lifecycle externally.
  • Serverless framework entrypoints — When the final stage’s CMD or ENTRYPOINT invokes a known FaaS wrapper (e.g. functions-framework for Google Cloud Functions), including the common exec prefix pattern.
  • Shell-only containers — When the final stage’s CMD or ENTRYPOINT is a bare interactive shell (bash, sh, etc.), the container is not a long-running service.

Registry-backed resolution (--slow-checks)

HEALTHCHECK is inherited from base images at runtime. If a base image defines HEALTHCHECK CMD ..., child images inherit it automatically. tally can resolve this by inspecting the base image registry. When --slow-checks is off, only the fast static check runs.

Migrating from Hadolint

tally is a drop-in replacement for common Hadolint workflows. Existing inline suppression comments work without modification:
Both ignore=DL3006 and ignore=hadolint/DL3006 are valid. You can also use tally’s own directive format:

Shell directive

When using base images with non-POSIX shells (e.g., Windows images with PowerShell), declare the shell to disable POSIX-specific rules:
Supported non-POSIX shells: powershell, pwsh, cmd / cmd.exe. When a non-POSIX shell is declared, tally automatically disables shell command analysis rules (e.g., DL3004 sudo detection, DL4001 wget/curl detection) and future ShellCheck-based rules. Both # hadolint shell=<shell> and # tally shell=<shell> formats are supported.

ShellCheck rules (SC rules)

ShellCheck rules analyze shell scripts within RUN commands. Implementation has started with native Go reimplementations that use tally’s fix and reporting infrastructure. Additional SC1xxx (syntax/parsing) and SC2xxx (logic/correctness) rules are planned.