Skip to main content
tally integrates rules from multiple sources. Each rule belongs to a namespace that indicates its origin, and all rules share a common configuration and suppression model.

Rule namespaces

Severity levels

The default fail level is style, meaning any violation causes a non-zero exit. Use --fail-level to adjust this.

Auto-fixable rules

Rules marked with 🔧 can be fixed automatically with tally lint --fix. Some fixes are classified as suggestions (unsafe) and require --fix --fix-unsafe to apply. Auto-fixable rules cover formatting, style normalization, and many correctness improvements.

Enabling and disabling rules

In .tally.toml

Use include and exclude glob patterns to select which rules run:
Configure individual rules with [rules.<namespace>.<rule-name>]:
Rules that are off by default (such as hadolint/DL3026) are automatically enabled with severity = "warning" when you provide configuration options for them — no need to set severity explicitly unless you want a different level.

With CLI flags

Use --select to enable rules and --ignore to disable them:

Inline suppression directives

Suppress specific violations directly in your Dockerfile using comment directives.

Next-line suppression

File-wide suppression

Adding a reason

Use ;reason= to document why a rule is suppressed. Required when --require-reason is set:

Suppress all rules on a line

Migration compatibility

tally also accepts directive formats from hadolint and Docker’s check=skip syntax:
Directives work with or without namespace prefixes. Both ignore=DL3024 and ignore=hadolint/DL3024 are valid.

Shell directive for non-POSIX shells

When using a non-POSIX shell (PowerShell, cmd), use the shell directive to disable incompatible rules:
Supported values: powershell, pwsh, cmd, cmd.exe.

Explore rules by category

Security

Secret detection, VEX attestations, secret mounts, privilege rules, and telemetry opt-out.

Correctness

Stage structure, signal handling, JSON exec-form, identity resolution, curl/wget config, and platform checks.

Performance

Multi-stage builds, cache mounts, heredocs, and archive extraction.

Style

Formatting, sorting, indentation, and epilogue ordering — all auto-fixable.

Labels

Image metadata key validation, duplicate detection, Buildx overlap checks, base digest checks, and Docker namespace guardrails.

GPU / CUDA

NVIDIA/CUDA-aware rules for build-time queries, driver capabilities, and image size.

JavaScript

Node and JavaScript container rules for native addon build caches.

PHP

Composer dependency hygiene and Xdebug detection.

Windows

Windows container-specific rules for mounts, signals, and ownership flags.

BuildKit

Docker’s official BuildKit linter checks.

Hadolint

Hadolint DL rules implemented natively.