Description
DetectsENV instructions that hardcode GPU device visibility variables (NVIDIA_VISIBLE_DEVICES,
CUDA_VISIBLE_DEVICES) inside the image. GPU visibility is deployment policy that should be set at
runtime via docker run --gpus, NVIDIA_VISIBLE_DEVICES in the orchestrator, or similar mechanisms
— not baked into the container image.
Why this matters
- Portability — images with hardcoded device indices or UUIDs cannot run on hosts with different GPU topologies without rebuilding
- Orchestrator conflict — Kubernetes device plugins, Slurm, and other schedulers set GPU visibility externally; image-level settings can conflict with or override orchestrator intent
- Redundancy — official
nvidia/cudabase images already setNVIDIA_VISIBLE_DEVICES=allvia image labels; re-declaring it in the Dockerfile is pure noise
What is flagged
Examples
Violation
No violation
Auto-fix behavior
The rule offers two fix safety levels:FixSafe(applied with--fix): removes the redundantNVIDIA_VISIBLE_DEVICES=allonnvidia/cudabase images. This is 100% behavior-preserving because the base image already sets this value.FixSuggestion(applied with--fix --fix-unsafe): removes hardcoded device indices, UUIDs, orCUDA_VISIBLE_DEVICESvalues. This improves portability but changes deployment semantics — the user must ensure GPU visibility is provided at runtime.
ENV instructions, only the flagged key is removed; other keys are preserved.