Skip to main content
GPU visibility is deployment policy; hardcoding it in the image reduces portability.

Description

Detects ENV instructions that hardcode GPU device visibility variables (NVIDIA_VISIBLE_DEVICES, CUDA_VISIBLE_DEVICES) inside the image. GPU visibility is deployment policy that should be set at runtime via docker run --gpus, NVIDIA_VISIBLE_DEVICES in the orchestrator, or similar mechanisms — not baked into the container image.

Why this matters

  • Portability — images with hardcoded device indices or UUIDs cannot run on hosts with different GPU topologies without rebuilding
  • Orchestrator conflict — Kubernetes device plugins, Slurm, and other schedulers set GPU visibility externally; image-level settings can conflict with or override orchestrator intent
  • Redundancy — official nvidia/cuda base images already set NVIDIA_VISIBLE_DEVICES=all via image labels; re-declaring it in the Dockerfile is pure noise

What is flagged

Examples

Violation

No violation

Auto-fix behavior

The rule offers two fix safety levels:
  • FixSafe (applied with --fix): removes the redundant NVIDIA_VISIBLE_DEVICES=all on nvidia/cuda base images. This is 100% behavior-preserving because the base image already sets this value.
  • FixSuggestion (applied with --fix --fix-unsafe): removes hardcoded device indices, UUIDs, or CUDA_VISIBLE_DEVICES values. This improves portability but changes deployment semantics — the user must ensure GPU visibility is provided at runtime.
For multi-key ENV instructions, only the flagged key is removed; other keys are preserved.

Configuration

This rule has no rule-specific options.

References