chainyo opened a new issue, #67553: URL: https://github.com/apache/airflow/issues/67553
### Description Hi Airflow maintainers, I’ve been testing `rudolint`, a Rust Dockerfile linter with a Hadolint-compatible mode, against the Airflow Dockerfiles. When running the default profile, rudolint surfaces a few BuildKit/container-build suggestions that Hadolint does not currently cover: - `Dockerfile.ci`: a couple of download steps derive architecture from `uname -m`, but for multi-platform builds, Docker target platform variables can be more predictable. - `docker-stack-docs/docker-examples/extending/*`: a few apt install examples could benefit from BuildKit cache mounts. - `providers/amazon/.../executors/Dockerfile`: the example promotes AWS credential-like values through `ARG` / `ENV`. BuildKit secret mounts would avoid exposing secret-shaped values through the build interface. This is not urgent, and I’m not suggesting replacing Hadolint outright. A low-risk path could be adding rudolint as a non-blocking CI check first, either in `hadolint-compat` mode for parity or in the default profile to evaluate the BuildKit-specific findings. ### Use case/motivation The motivation here is to evaluate whether an additional linter focused on modern BuildKit-enabled Dockerfiles can provide useful signal for cache mounts, secret mounts, syntax directives, and multi-platform build patterns without disrupting the existing policy. Potential benefits: - Keep the current Hadolint policy unchanged through `hadolint-compat`. - Add optional checks for BuildKit-specific patterns, such as cache mounts, secret mounts, syntax directives, and target-platform-aware downloads. - Catch issues in example Dockerfiles that users may copy into their own deployments. - Potentially reduce lint runtime with a single static Rust binary, if CI performance is worth evaluating later (rudolint is 6x faster than hadolint) The safest first step would be a non-blocking CI job or local experiment, so maintainers can decide whether the extra findings are useful before making anything required. ### Related issues I’m not aware of an existing Airflow issue tracking BuildKit-aware Dockerfile linting. Related areas may include Docker image build reliability, multi-platform image support, and hardening examples that document credentials or cloud access patterns. ### Are you willing to submit a PR? - [x] Yes I am willing to submit a PR! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://github.com/apache/airflow/blob/main/CODE_OF_CONDUCT.md) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
