search

hadolint / hadolint

Dockerfile linter, validate inline bash, written in Haskell
GNU General Public License v3.0
10.39k stars 422 forks source link

Output result to terminal AND in special format #837

Open alexgit2k opened 2 years ago

alexgit2k commented 2 years ago

Expected behavior

When integrating Hadolint in Gitlab with the codeclimate-report (see https://github.com/hadolint/hadolint/blob/master/docs/INTEGRATION.md#gitlab-ci) the result is only displayed if

  1. a merge-request for the branch exists and
  2. the target-branch (of the merge-request) has already a codeclimate-report

If these conditions are not met and the check fails you will not see the errors in the pipeline-output (only in the artefact which needs to be downloaded and is in JSON-Format).

Therefore it would be good, if there are additional options for output-file/format, e.g.: hadolint --ignore ... Dockerfile --file reports/hadolint-$CI_COMMIT_SHA.json --file-format gitlab_codeclimate

Actual behavior

Output is redirected to a file hadolint Dockerfile --format gitlab_codeclimate > reports/hadolint-$CI_COMMIT_SHA.json

Steps to reproduce the behavior

See https://github.com/hadolint/hadolint/blob/master/docs/INTEGRATION.md#gitlab-ci

Workaround

Run hadlint twice:

  script:
    - mkdir -p reports
    - hadolint Dockerfile --no-fail --format gitlab_codeclimate > reports/hadolint-$CI_COMMIT_SHA.json
    - hadolint Dockerfile
xlr-8 commented 1 year ago

You could also use tee to output it into several destinations without needing to re-run hadolint. That implies that tee binary is installed on the server/docker though, now that would also output JSON into your terminal - which isn't ideal either so, you could also use jq .

>  echo '{"foo": "bar"}' | tee -a file.log
{"foo": "bar"}
> cat file.log
{"foo": "bar"}
> jq . file.log
{
  "foo": "bar"
}

I know it doesn't quite solve your issue, but figured you might eventually save a bit of time instead of running it several times; and those might be of interested for those who don't know them.

alexgit2k commented 1 year ago

Interesting idea!

The two hadolint-runs only take 6 seconds including docker-start. So I think it's a lot of more work to find out the right parameters for jq to get near the default format output of hadolint.

nejch commented 3 months ago

In case maintainers don't like the idea of multiple outputs in a single run, I'm just linking an alternative approach that trivy uses now, which is a little convert subcommand that can achieve the same without expensive repeated calls.

https://aquasecurity.github.io/trivy/v0.52/docs/configuration/reporting/#converting

Since the example above uses GitLab, this is what our current trivy setup looks like using convert to save/show multiple different formats.

lint-repo:
  script:
    - trivy fs --no-progress --ignore-unfixed --format json --output trivy-results.json $CI_PROJECT_DIR
    - trivy convert --format template --template "@/contrib/junit.tpl" --output trivy-junit.xml trivy-results.json
    - trivy convert --exit-code 1 --format table trivy-results.json