hadolint · m-ildefons · Dec 21, 2021 · Dec 16, 2021
diff --git a/README.md b/README.md
@@ -160,6 +160,8 @@ Available options:
                            format requirement `format`
   --strict-labels          Do not permit labels other than specified in
                            `label-schema`
+  --disable-ignore-pragma  Disable the inline ignore pragma `# hadolint
+                           ignore=DLxxxx` and report rules anyways.
   -t,--failure-threshold THRESHOLD
                            Exit with failure code only when rules with a
                            severity above THRESHOLD are violated. Accepted
@@ -203,6 +205,7 @@ override:
   info: [string]                        # list of rules
   style: [string]                       # list of rules
 strict-labels: boolean                  # true | false
+disable-ignore-pragma: boolean          # true | false
 trustedRegistries: string | [string]    # registry or list of registries
 ```
 
@@ -288,6 +291,7 @@ HADOLINT_OVERRIDE_INFO=DL3010,DL3020     # comma separated list of rule codes
 HADOLINT_OVERRIDE_STYLE=DL3010,DL3020    # comma separated list of rule codes
 HADOLINT_IGNORE=DL3010,DL3020            # comma separated list of rule codes
 HADOLINT_STRICT_LABELS=1                 # Truthy value e.g. 1, true or yes
+HADOLINT_DISABLE_IGNORE_PRAGMA=1         # Truthy value e.g. 1, true or yes
 HADOLINT_TRUSTED_REGISTRIES              # comma separated list of registry urls
 ```
 
@@ -417,6 +421,7 @@ Please [create an issue][] if you have an idea for a good rule.
 
 | Rule                                                         | Default Severity | Description                                                                                                                                         |
 | :----------------------------------------------------------- | :--------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [DL1001](https://github.com/hadolint/hadolint/wiki/DL1001)   | Ignore           | Please refrain from using inline ignore pragmas `# hadolint ignore=DLxxxx`.                                                                         |
 | [DL3000](https://github.com/hadolint/hadolint/wiki/DL3000)   | Error            | Use absolute WORKDIR.                                                                                                                               |
 | [DL3001](https://github.com/hadolint/hadolint/wiki/DL3001)   | Info             | For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig. |
 | [DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)   | Warning          | Last user should not be root.                                                                                                                       |
@@ -471,7 +476,7 @@ Please [create an issue][] if you have an idea for a good rule.
 | [DL3054](https://github.com/hadolint/hadolint/wiki/DL3054)   | Warning          | Label `<label>` is not a valid SPDX license identifier.                                                                                             |
 | [DL3055](https://github.com/hadolint/hadolint/wiki/DL3055)   | Warning          | Label `<label>` is not a valid git hash.                                                                                                            |
 | [DL3056](https://github.com/hadolint/hadolint/wiki/DL3056)   | Warning          | Label `<label>` does not conform to semantic versioning.                                                                                            |
-| [DL3057](https://github.com/hadolint/hadolint/wiki/DL3057)   | IgnoreC          | `HEALTHCHECK` instruction missing.                                                                                                                  |
+| [DL3057](https://github.com/hadolint/hadolint/wiki/DL3057)   | Ignore           | `HEALTHCHECK` instruction missing.                                                                                                                  |
 | [DL3058](https://github.com/hadolint/hadolint/wiki/DL3058)   | Warning          | Label `<label>` is not a valid email format - must be conform to RFC5322.                                                                           |
 | [DL3059](https://github.com/hadolint/hadolint/wiki/DL3059)   | Info             | Multiple consecutive `RUN` instructions. Consider consolidation.                                                                                    |
 | [DL3060](https://github.com/hadolint/hadolint/wiki/DL3060)   | Info             | `yarn cache clean` missing after `yarn install` was run.                                                                                            |

diff --git a/hadolint.cabal b/hadolint.cabal
@@ -50,6 +50,7 @@ library
       Hadolint.Pragma
       Hadolint.Process
       Hadolint.Rule
+      Hadolint.Rule.DL1001
       Hadolint.Rule.DL3000
       Hadolint.Rule.DL3001
       Hadolint.Rule.DL3002
@@ -216,6 +217,7 @@ test-suite hadolint-unit-tests
       Hadolint.Formatter.SarifSpec
       Hadolint.Formatter.TTYSpec
       Hadolint.PragmaSpec
+      Hadolint.Rule.DL1001Spec
       Hadolint.Rule.DL3000Spec
       Hadolint.Rule.DL3001Spec
       Hadolint.Rule.DL3002Spec

diff --git a/src/Hadolint/Config/Commandline.hs b/src/Hadolint/Config/Commandline.hs
@@ -95,6 +95,7 @@ parseCommandline =
         <*> parseAllowedRegistries
         <*> parseLabelSchema
         <*> parseStrictlabels
+        <*> parseDisableIgnorePragma
         <*> parseFailureThreshold
 
     -- All optional flags with boolean value must not have a default value. The
@@ -229,6 +230,15 @@ parseCommandline =
             )
         )
 
+    parseDisableIgnorePragma =
+      optional
+        ( flag' True
+            ( long "disable-ignore-pragma"
+                <> help "Disable inline ignore pragmas \
+                        \ `# hadolint ignore=DLxxxx`"
+            )
+        )
+
     parseFailureThreshold =
       optional $
         option

diff --git a/src/Hadolint/Config/Configuration.hs b/src/Hadolint/Config/Configuration.hs
@@ -36,6 +36,7 @@ data Configuration =
       allowedRegistries :: Set.Set Registry,
       labelSchema :: LabelSchema,
       strictLabels :: Bool,
+      disableIgnorePragma :: Bool,
       failureThreshold :: DLSeverity
     }
   deriving (Eq, Show)
@@ -55,6 +56,7 @@ instance Default Configuration where
       mempty
       mempty
       False
+      False
       def
 
 applyPartialConfiguration ::
@@ -73,6 +75,7 @@ applyPartialConfiguration config partial =
     (allowedRegistries config <> partialAllowedRegistries partial)
     (labelSchema config <> partialLabelSchema partial)
     (fromMaybe (strictLabels config) (partialStrictLabels partial))
+    (fromMaybe (disableIgnorePragma config) (partialDisableIgnorePragma partial))
     (fromMaybe (failureThreshold config) (partialFailureThreshold partial))
 
 instance Pretty Configuration where
@@ -91,6 +94,7 @@ instance Pretty Configuration where
             prettyPrintRulelist "ignore" (ignoreRules c),
             "strict labels:" <+> pretty (strictLabels c),
             prettyPrintLabelSchema (labelSchema c),
+            "disable ignore pragma:" <+> pretty (disableIgnorePragma c),
             prettyPrintRegistries (allowedRegistries c)
           ]
       )
@@ -137,14 +141,15 @@ data PartialConfiguration =
       partialAllowedRegistries :: Set.Set Registry,
       partialLabelSchema :: LabelSchema,
       partialStrictLabels :: Maybe Bool,
+      partialDisableIgnorePragma :: Maybe Bool,
       partialFailureThreshold :: Maybe DLSeverity
     }
   deriving (Eq, Show)
 
 
 instance Semigroup PartialConfiguration where
-  PartialConfiguration a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13
-    <> PartialConfiguration b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 =
+  PartialConfiguration a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11 a12 a13 a14
+    <> PartialConfiguration b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 =
       PartialConfiguration
         (b1 <|> a1)
         (b2 <|> a2)
@@ -158,7 +163,8 @@ instance Semigroup PartialConfiguration where
         (a10 <> b10)
         (a11 <> b11)
         (b12 <|> a12)
-        (a13 <> b13)
+        (b13 <|> a13)
+        (a14 <> b14)
 
 instance Monoid PartialConfiguration where
   mempty =
@@ -175,6 +181,7 @@ instance Monoid PartialConfiguration where
       mempty
       mempty
       Nothing
+      Nothing
       mempty
 
 instance Default PartialConfiguration where
@@ -191,6 +198,7 @@ instance Yaml.FromYAML PartialConfiguration where
     trusted <- m .:? "trustedRegistries" .!= mempty
     partialLabelSchema <- m .:? "label-schema" .!= mempty
     partialStrictLabels <- m .:? "strict-labels" .!= Nothing
+    partialDisableIgnorePragma <- m .:? "disable-ignore-pragma" .!= Nothing
     let partialIgnoreRules = coerce (ignored :: [Text])
         partialErrorRules = overrideErrorRules override
         partialWarningRules = overrideWarningRules override

diff --git a/src/Hadolint/Config/Environment.hs b/src/Hadolint/Config/Environment.hs
@@ -30,6 +30,7 @@ getConfigFromEnvironment =
     <*> getAllowedSet "HADOLINT_ALLOWED_REGISTRIES"
     <*> getLabelSchema "HADOLINT_REQUIRE_LABELS"
     <*> maybeTruthy "HADOLINT_STRICT_LABELS"
+    <*> maybeTruthy "HADOLINT_DISABLE_IGNORE_PRAGMA"
     <*> getFailureThreshold
 
 

diff --git a/src/Hadolint/Pragma.hs b/src/Hadolint/Pragma.hs
@@ -1,5 +1,6 @@
 module Hadolint.Pragma
   ( ignored,
+    parseIgnorePragma,
     parseShell
   )
   where
@@ -20,13 +21,13 @@ ignored :: Foldl.Fold (InstructionPos Text) (Map.IntMap (Set.Set RuleCode))
 ignored = Foldl.Fold parse mempty id
   where
     parse acc InstructionPos {instruction = Comment comment, lineNumber = line} =
-      case parseComment comment of
+      case parseIgnorePragma comment of
         Just ignores@(_ : _) -> Map.insert (line + 1) (Set.fromList . fmap RuleCode $ ignores) acc
         _ -> acc
     parse acc _ = acc
 
-parseComment :: Text -> Maybe [Text]
-parseComment =
+parseIgnorePragma :: Text -> Maybe [Text]
+parseIgnorePragma =
   Megaparsec.parseMaybe commentParser
 
 commentParser :: Megaparsec.Parsec Void Text [Text]

diff --git a/src/Hadolint/Process.hs b/src/Hadolint/Process.hs
@@ -9,6 +9,7 @@ import qualified Data.Sequence as Seq
 import qualified Data.Set as Set
 import qualified Data.Text as Text
 import qualified Hadolint.Pragma
+import qualified Hadolint.Rule.DL1001
 import qualified Hadolint.Rule.DL3000
 import qualified Hadolint.Rule.DL3001
 import qualified Hadolint.Rule.DL3002
@@ -89,10 +90,11 @@ run config dockerfile = Seq.filter shouldKeep failed
   where
     AnalisisResult {..} = Foldl.fold (analyze config) dockerfile
 
-    shouldKeep CheckFailure {line, code} =
-      Just True /= do
-        ignoreList <- SMap.lookup line ignored
-        return $ code `Set.member` ignoreList
+    shouldKeep CheckFailure {line, code}
+      | disableIgnorePragma config = True
+      | otherwise = Just True /= do
+          ignoreList <- SMap.lookup line ignored
+          return $ code `Set.member` ignoreList
 
 analyze ::
   Configuration ->
@@ -119,7 +121,8 @@ onBuildFailures config =
 
 failures :: Configuration -> Rule Shell.ParsedShell
 failures Configuration {allowedRegistries, labelSchema, strictLabels} =
-  Hadolint.Rule.DL3000.rule
+  Hadolint.Rule.DL1001.rule
+    <> Hadolint.Rule.DL3000.rule
     <> Hadolint.Rule.DL3001.rule
     <> Hadolint.Rule.DL3002.rule
     <> Hadolint.Rule.DL3003.rule

diff --git a/src/Hadolint/Rule/DL1001.hs b/src/Hadolint/Rule/DL1001.hs
@@ -0,0 +1,19 @@
+module Hadolint.Rule.DL1001 (rule) where
+
+import Hadolint.Pragma
+import Hadolint.Rule
+import Hadolint.Shell (ParsedShell)
+import Language.Docker.Syntax
+
+rule :: Rule ParsedShell
+rule = simpleRule code severity message check
+  where
+    code = "DL1001"
+    severity = DLIgnoreC
+    message = "Please refrain from using inline igore pragmas \
+              \ `# hadolint ignore=DLxxxx`."
+    check (Comment com) =
+      case parseIgnorePragma com of
+        Just _ -> False
+        _ -> True
+    check _ = True
diff --git a/test/Hadolint/Config/CommandlineSpec.hs b/test/Hadolint/Config/CommandlineSpec.hs
@@ -300,6 +300,18 @@ spec = do
               mempty { partialStrictLabels = Just True }
           )
 
+    describe "parse disable ignore pragma" $ do
+      it "parse --disable-ignore-pragma" $ do
+        checkCommandline
+          ["--disable-ignore-pragma"]
+          ( CommandlineConfig
+              False
+              Nothing
+              []
+              Nothing
+              mempty { partialDisableIgnorePragma = Just True }
+          )
+
     describe "parse failure thresholds" $ do
       it "parse -t warning" $ do
         checkCommandline ["-t", "warning"] $ CommandlineConfig

diff --git a/test/Hadolint/Config/ConfigfileSpec.hs b/test/Hadolint/Config/ConfigfileSpec.hs
@@ -150,6 +150,16 @@ spec =
           conf = parseYaml yaml
       conf `shouldBe` Right mempty { partialStrictLabels = Just False }
 
+    it "parse disable-ignore-pragma: true" $ do
+      let yaml = [ "disable-ignore-pragma: true" ]
+          conf = parseYaml yaml
+      conf `shouldBe` Right mempty { partialDisableIgnorePragma = Just True }
+
+    it "parse disable-ignore-pragma: false" $ do
+      let yaml = [ "disable-ignore-pragma: false" ]
+          conf = parseYaml yaml
+      conf `shouldBe` Right mempty { partialDisableIgnorePragma = Just False }
+
     it "parse `failure-threshold: warning`" $ do
       let yaml = ["failure-threshold: warning"]
           conf = parseYaml yaml