Docker lint

src/python/pants/backend/docker/lint/BUILD

@@ -0,0 +1,4 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+
+python_library()

src/python/pants/backend/docker/lint/hadolint/BUILD

@@ -0,0 +1,5 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+
+python_library()
+python_tests(name="tests")

src/python/pants/backend/docker/lint/hadolint/register.py

@@ -0,0 +1,12 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+
+from pants.backend.docker.lint.hadolint import skip_field
+from pants.backend.docker.lint.hadolint.rules import rules as hadolint_rules
+
+
+def rules():
+    return (
+        *hadolint_rules(),
+        *skip_field.rules(),
+    )

src/python/pants/backend/docker/lint/hadolint/rules.py

@@ -0,0 +1,92 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from pants.backend.docker.lint.hadolint.skip_field import SkipHadolintField
+from pants.backend.docker.lint.hadolint.subsystem import Hadolint
+from pants.backend.docker.target_types import DockerImageSources
+from pants.core.goals.lint import LintRequest, LintResult, LintResults
+from pants.core.util_rules.config_files import ConfigFiles, ConfigFilesRequest
+from pants.core.util_rules.external_tool import DownloadedExternalTool, ExternalToolRequest
+from pants.core.util_rules.source_files import SourceFiles, SourceFilesRequest
+from pants.engine.fs import Digest, MergeDigests
+from pants.engine.platform import Platform
+from pants.engine.process import FallibleProcessResult, Process
+from pants.engine.rules import Get, MultiGet, collect_rules, rule
+from pants.engine.target import FieldSet, Target
+from pants.engine.unions import UnionRule
+from pants.util.logging import LogLevel
+from pants.util.strutil import pluralize
+
+
+@dataclass(frozen=True)
+class HadolintFieldSet(FieldSet):
+    required_fields = (DockerImageSources,)
+
+    sources: DockerImageSources
+
+    @classmethod
+    def opt_out(cls, tgt: Target) -> bool:
+        return tgt.get(SkipHadolintField).value
+
+
+class HadolintRequest(LintRequest):
+    field_set_type = HadolintFieldSet
+
+
+def generate_argv(source_files: SourceFiles, hadolint: Hadolint) -> tuple[str, ...]:
+    args = []
+    if hadolint.config:
+        args.append(f"--config={hadolint.config}")
+    args.extend(hadolint.args)
+    args.extend(source_files.files)
+    return tuple(args)
+
+
+@rule(desc="Lint with Hadolint", level=LogLevel.DEBUG)
+async def run_hadolint(request: HadolintRequest, hadolint: Hadolint) -> LintResults:
+    if hadolint.skip:
+        return LintResults([], linter_name="Hadolint")
+
+    downloaded_hadolint, sources = await MultiGet(
+        Get(DownloadedExternalTool, ExternalToolRequest, hadolint.get_request(Platform.current)),
+        Get(
+            SourceFiles,
+            SourceFilesRequest(
+                [field_set.sources for field_set in request.field_sets],
+                for_sources_types=(DockerImageSources,),
+                enable_codegen=True,
+            ),
+        ),
+    )
+    config_files = await Get(ConfigFiles, ConfigFilesRequest, hadolint.config_request())
+    input_digest = await Get(
+        Digest,
+        MergeDigests(
+            (
+                sources.snapshot.digest,
+                downloaded_hadolint.digest,
+                config_files.snapshot.digest,
+            )
+        ),
+    )
+    process_result = await Get(
+        FallibleProcessResult,
+        Process(
+            argv=[downloaded_hadolint.exe, *generate_argv(sources, hadolint)],
+            input_digest=input_digest,
+            description=f"Run `hadolint` on {pluralize(len(sources.files), 'Dockerfile')}.",
+            level=LogLevel.DEBUG,
+        ),
+    )
+    results = [LintResult.from_fallible_process_result(process_result)]
+    return LintResults(results, linter_name="hadolint")
+
+
+def rules():
+    return [
+        *collect_rules(),
+        UnionRule(LintRequest, HadolintRequest),
+    ]

src/python/pants/backend/docker/lint/hadolint/rules_integration_test.py

@@ -0,0 +1,139 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+
+from __future__ import annotations
+
+from textwrap import dedent
+
+import pytest
+
+from pants.backend.docker.lint.hadolint.rules import HadolintFieldSet, HadolintRequest
+from pants.backend.docker.lint.hadolint.rules import rules as hadolint_rules
+from pants.backend.docker.target_types import DockerImage
+from pants.core.goals.lint import LintResult, LintResults
+from pants.core.util_rules import config_files, external_tool, source_files
+from pants.engine.addresses import Address
+from pants.engine.target import Target
+from pants.testutil.rule_runner import QueryRule, RuleRunner
+
+
+@pytest.fixture
+def rule_runner() -> RuleRunner:
+    return RuleRunner(
+        rules=[
+            *hadolint_rules(),
+            *config_files.rules(),
+            *external_tool.rules(),
+            *source_files.rules(),
+            QueryRule(LintResults, [HadolintRequest]),
+        ],
+        target_types=[DockerImage],
+    )
+
+
+GOOD_FILE = "FROM python:3.8"
+BAD_FILE = "FROM python"
+
+
+def run_hadolint(
+    rule_runner: RuleRunner, targets: list[Target], *, extra_args: list[str] | None = None
+) -> tuple[LintResult, ...]:
+    rule_runner.set_options(
+        extra_args or (),
+        env_inherit={"PATH"},
+    )
+    results = rule_runner.request(
+        LintResults,
+        [HadolintRequest(HadolintFieldSet.create(tgt) for tgt in targets)],
+    )
+    return results.results
+
+
+def assert_success(
+    rule_runner: RuleRunner, target: Target, *, extra_args: list[str] | None = None
+) -> None:
+    result = run_hadolint(rule_runner, [target], extra_args=extra_args)
+    assert len(result) == 1
+    assert result[0].exit_code == 0
+    assert not result[0].stdout
+    assert not result[0].stderr
+
+
+def test_passing(rule_runner: RuleRunner) -> None:
+    rule_runner.write_files({"Dockerfile": GOOD_FILE, "BUILD": "docker_image(name='t')"})
+    tgt = rule_runner.get_target(Address("", target_name="t"))
+    assert_success(rule_runner, tgt)
+
+
+def test_failing(rule_runner: RuleRunner) -> None:
+    rule_runner.write_files({"Dockerfile": BAD_FILE, "BUILD": "docker_image(name='t')"})
+    tgt = rule_runner.get_target(Address("", target_name="t"))
+    result = run_hadolint(rule_runner, [tgt])
+    assert len(result) == 1
+    assert result[0].exit_code == 1
+    assert "Dockerfile:1 " in result[0].stdout
+
+
+def test_multiple_targets(rule_runner: RuleRunner) -> None:
+    rule_runner.write_files(
+        {
+            "Dockerfile.good": GOOD_FILE,
+            "Dockerfile.bad": BAD_FILE,
+            "BUILD": dedent(
+                """
+                docker_image(name="good", sources=("Dockerfile.good",))
+                docker_image(name="bad", sources=("Dockerfile.bad",))
+                """
+            ),
+        }
+    )
+    tgts = [
+        rule_runner.get_target(
+            Address("", target_name="good", relative_file_path="Dockerfile.good")
+        ),
+        rule_runner.get_target(Address("", target_name="bad", relative_file_path="Dockerfile.bad")),
+    ]
+    result = run_hadolint(rule_runner, tgts)
+    assert len(result) == 1
+    assert result[0].exit_code == 1
+    assert "Dockerfile.good" not in result[0].stdout
+    assert "Dockerfile.bad:1 " in result[0].stdout
+
+
+def test_config_files(rule_runner: RuleRunner) -> None:
+    rule_runner.write_files(
+        {
+            ".hadolint.yaml": "ignored: [DL3006, DL3011]",
+            "a/Dockerfile": BAD_FILE,
+            "a/BUILD": "docker_image()",
+            "b/Dockerfile": BAD_FILE,
+            "b/BUILD": "docker_image()",
+            "c/BUILD": "docker_image()",
+            "c/Dockerfile": "EXPOSE 123456",
+        }
+    )
+    tgts = [
+        rule_runner.get_target(Address("a")),
+        rule_runner.get_target(Address("b")),
+    ]
+    result = run_hadolint(rule_runner, tgts)
+    assert len(result) == 1
+    assert result[0].exit_code == 0
+    assert "a/Dockerfile" not in result[0].stdout
+    assert "b/Dockerfile " not in result[0].stdout
+
+    tgt = rule_runner.get_target(Address("c"))
+    assert_success(rule_runner, tgt, extra_args=["--hadolint-config=.hadolint.yaml"])
+
+
+def test_passthrough_args(rule_runner: RuleRunner) -> None:
+    rule_runner.write_files({"Dockerfile": BAD_FILE, "BUILD": "docker_image(name='t')"})
+    tgt = rule_runner.get_target(Address("", target_name="t"))
+    assert_success(rule_runner, tgt, extra_args=["--hadolint-args=--ignore DL3006"])
+
+
+def test_skip(rule_runner: RuleRunner) -> None:
+    rule_runner.write_files({"Dockerfile": BAD_FILE, "BUILD": "docker_image(name='t')"})
+    tgt = rule_runner.get_target(Address("", target_name="t"))
+    result = run_hadolint(rule_runner, [tgt], extra_args=["--hadolint-skip"])
+    assert not result

src/python/pants/backend/docker/lint/hadolint/skip_field.py

@@ -0,0 +1,15 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+
+from pants.backend.docker.target_types import DockerImage
+from pants.engine.target import BoolField
+
+
+class SkipHadolintField(BoolField):
+    alias = "skip_hadolint"
+    default = False
+    help = "If true, don't run hadolint on this target's Dockerfile."
+
+
+def rules():
+    return [DockerImage.register_plugin_field(SkipHadolintField)]

src/python/pants/backend/docker/lint/hadolint/subsystem.py

@@ -0,0 +1,95 @@
+# Copyright 2021 Pants project contributors (see CONTRIBUTORS.md).
+# Licensed under the Apache License, Version 2.0 (see LICENSE).
+
+from __future__ import annotations
+
+from typing import cast
+
+from pants.core.util_rules.config_files import ConfigFilesRequest
+from pants.core.util_rules.external_tool import TemplatedExternalTool
+from pants.option.custom_types import file_option, shell_str
+
+
+class Hadolint(TemplatedExternalTool):
+    options_scope = "hadolint"
+    name = "hadolint"
+    help = "A linter for Dockerfiles."
+
+    default_version = "v2.6.0"
+    default_known_versions = [
+        f"{default_version}|macos_arm64 |7d41496bf591f2b9c7daa76d4aa1db04ea97b9e11b44a24a4e404a10aab33686|2392080",
+        f"{default_version}|macos_x86_64|7d41496bf591f2b9c7daa76d4aa1db04ea97b9e11b44a24a4e404a10aab33686|2392080",
+        f"{default_version}|linux_x86_64|152e3c3375f26711650d4e11f9e382cf1bdf3f912d7379823e8fac4b1bce88d6|5812840",
+    ]
+    default_url_template = (
+        "https://github.com/hadolint/hadolint/releases/download/{version}/hadolint-{platform}"
+    )
+    default_url_platform_mapping = {
+        "macos_arm64": "Darwin-x86_64",
+        "macos_x86_64": "Darwin-x86_64",
+        "linux_x86_64": "Linux-x86_64",
+    }
+
+    @classmethod
+    def register_options(cls, register):
+        super().register_options(register)
+        register(
+            "--skip",
+            type=bool,
+            default=False,
+            help="Don't use Hadolint when running `./pants lint`.",
+        )
+        register(
+            "--args",
+            type=list,
+            member_type=shell_str,
+            help=(
+                "Arguments to pass directly to Hadolint, e.g. `--hadolint-args='--format json'`.'"
+            ),
+        )
+        register(
+            "--config",
+            type=file_option,
+            default=None,
+            advanced=True,
+            help=(
+                "Path to an YAML config file understood by Hadolint "
+                "(https://github.com/hadolint/hadolint#configure).\n\n"
+                f"Setting this option will disable `[{cls.options_scope}].config_discovery`. Use "
+                "this option if the config is located in a non-standard location."
+            ),
+        )
+        register(
+            "--config-discovery",
+            type=bool,
+            default=True,
+            advanced=True,
+            help=(
+                "If true, Pants will include all relevant config files during runs "
+                "(`.hadolint.yaml` and `.hadolint.yml`).\n\n"
+                f"Use `[{cls.options_scope}].config` instead if your config is in a "
+                "non-standard location."
+            ),
+        )
+
+    @property
+    def skip(self) -> bool:
+        return cast(bool, self.options.skip)
+
+    @property
+    def args(self) -> tuple[str, ...]:
+        return tuple(self.options.args)
+
+    @property
+    def config(self) -> str | None:
+        return cast("str | None", self.options.config)
+
+    def config_request(self) -> ConfigFilesRequest:
+        # Refer to https://github.com/hadolint/hadolint#configure for how config files are
+        # discovered.
+        return ConfigFilesRequest(
+            specified=self.config,
+            specified_option_name=f"[{self.options_scope}].config",
+            discovery=cast(bool, self.options.config_discovery),
+            check_existence=[".hadolint.yaml", ".hadolint.yml"],
+        )

src/python/pants/init/BUILD

@@ -8,6 +8,7 @@ target(
   dependencies=[
     'src/python/pants/backend/awslambda/python',
     'src/python/pants/backend/codegen/protobuf/python',
+    'src/python/pants/backend/docker/lint/hadolint',
     'src/python/pants/backend/experimental/docker',
     'src/python/pants/backend/experimental/go',
     'src/python/pants/backend/experimental/go/lint/gofmt',