Skip to main content
tally integrates rules from multiple sources. Each rule belongs to a namespace that indicates its origin, and all rules share a common configuration and suppression model.

Rule namespaces

NamespaceSourceDescription
tally/tally custom rulesSecurity, correctness, performance, style, GPU, PHP, PowerShell, and Windows
buildkit/Docker’s BuildKit linterCaptured during parsing or reimplemented for static analysis
hadolint/HadolintHadolint-compatible rules implemented natively
shellcheck/Embedded ShellCheckShell script analysis within RUN instructions

Severity levels

SeverityMeaning
errorCritical issue; blocks CI by default
warningImportant issue that should be addressed
infoInformational suggestion
styleStyle preference; auto-fixable in most cases
offRule disabled
The default fail level is style, meaning any violation causes a non-zero exit. Use --fail-level to adjust this.

Auto-fixable rules

Rules marked with 🔧 can be fixed automatically with tally lint --fix. Some fixes are classified as suggestions (unsafe) and require --fix --fix-unsafe to apply. Auto-fixable rules cover formatting, style normalization, and many correctness improvements.

Enabling and disabling rules

In .tally.toml

Use include and exclude glob patterns to select which rules run: 
[rules]
# Enable entire namespaces
include = ["buildkit/*", "tally/*", "hadolint/*"]

# Disable specific rules
exclude = [
  "buildkit/MaintainerDeprecated",
  "hadolint/DL3008",
]
Configure individual rules with [rules.<namespace>.<rule-name>]: 
[rules.tally.max-lines]
severity = "warning"
max = 100
skip-blank-lines = true
skip-comments = true

[rules.buildkit.StageNameCasing]
severity = "info"

[rules.hadolint.DL3026]
severity = "warning"
trusted-registries = ["docker.io", "gcr.io", "ghcr.io"]
Rules that are off by default (such as hadolint/DL3026) are automatically enabled with severity = "warning" when you provide configuration options for them — no need to set severity explicitly unless you want a different level.

With CLI flags

Use --select to enable rules and --ignore to disable them: 
# Enable only buildkit rules
tally lint --select "buildkit/*" Dockerfile

# Disable a specific rule
tally lint --ignore "buildkit/MaintainerDeprecated" Dockerfile

Inline suppression directives

Suppress specific violations directly in your Dockerfile using comment directives.

Next-line suppression

# tally ignore=StageNameCasing
FROM alpine AS Build

# tally ignore=DL3006,DL3007
FROM ubuntu:16.04

File-wide suppression

# tally global ignore=max-lines;reason=Generated file, size is expected
FROM alpine

Adding a reason

Use ;reason= to document why a rule is suppressed. Required when --require-reason is set: 
# tally ignore=DL3006;reason=Using older base image for compatibility
FROM ubuntu:16.04

Suppress all rules on a line

# tally ignore=all
FROM Ubuntu AS Build

Migration compatibility

tally also accepts directive formats from hadolint and Docker’s check=skip syntax: 
# hadolint ignore=DL3024
FROM alpine AS builder

# check=skip=StageNameCasing
FROM alpine AS Builder
Directives work with or without namespace prefixes. Both ignore=DL3024 and ignore=hadolint/DL3024 are valid.

Shell directive for non-POSIX shells

When using a non-POSIX shell (PowerShell, cmd), use the shell directive to disable incompatible rules: 
FROM mcr.microsoft.com/windows/servercore:ltsc2022
# hadolint shell=powershell
RUN Get-Process notepad | Stop-Process
Supported values: powershell, pwsh, cmd, cmd.exe.

Explore rules by category

Security

Secret detection, VEX attestations, secret mounts, privilege rules, and telemetry opt-out.

Correctness

Stage structure, signal handling, JSON exec-form, identity resolution, curl/wget config, and platform checks.

Performance

Multi-stage builds, cache mounts, heredocs, and archive extraction.

Style

Formatting, sorting, indentation, and epilogue ordering — all auto-fixable.

GPU / CUDA

NVIDIA/CUDA-aware rules for build-time queries, driver capabilities, and image size.

PHP

Composer dependency hygiene and Xdebug detection.

Windows

Windows container-specific rules for mounts, signals, and ownership flags.

BuildKit

Docker’s official BuildKit linter checks.

Hadolint

Hadolint DL rules implemented natively.