ruby

package
v0.43.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 20, 2026 License: AGPL-3.0 Imports: 19 Imported by: 0

Documentation

Overview

Package ruby contains tally rules that target Ruby and Rails Dockerfile patterns. Rules in this package use the "tally/ruby/<rule-slug>" code convention and live under _docs/rules/tally/ruby/ in the docs site.

Index

Constants

View Source 
const AssetPrecompileWithoutDummyKeyRuleCode = rules.TallyRulePrefix + "ruby/asset-precompile-without-dummy-key"

AssetPrecompileWithoutDummyKeyRuleCode is the full rule code.

View Source 
const BootsnapPrecompileWithoutJ1RuleCode = rules.TallyRulePrefix + "ruby/bootsnap-precompile-without-j1"

BootsnapPrecompileWithoutJ1RuleCode is the full rule code.

View Source 
const DeprecatedBundlerInstallFlagsRuleCode = rules.TallyRulePrefix + "ruby/deprecated-bundler-install-flags"

DeprecatedBundlerInstallFlagsRuleCode is the full rule code.

View Source 
const EOLRubyVersionRuleCode = rules.TallyRulePrefix + "ruby/eol-ruby-version"

EOLRubyVersionRuleCode is the full rule code.

View Source 
const HealthcheckRailsUpEndpointRuleCode = rules.TallyRulePrefix + "ruby/healthcheck-rails-up-endpoint"

HealthcheckRailsUpEndpointRuleCode is the full rule code.

View Source 
const JemallocInstalledButNotPreloadedRuleCode = rules.TallyRulePrefix + "ruby/jemalloc-installed-but-not-preloaded"

JemallocInstalledButNotPreloadedRuleCode is the full rule code.

View Source 
const LeftoverBundlerCacheRuleCode = rules.TallyRulePrefix + "ruby/leftover-bundler-cache"

LeftoverBundlerCacheRuleCode is the full rule code.

View Source 
const MissingBundleDeploymentRuleCode = rules.TallyRulePrefix + "ruby/missing-bundle-deployment"

MissingBundleDeploymentRuleCode is the full rule code.

View Source 
const MissingBundleWithoutDevelopmentRuleCode = rules.TallyRulePrefix + "ruby/missing-bundle-without-development"

MissingBundleWithoutDevelopmentRuleCode is the full rule code.

View Source 
const PreferBundlerCacheMountRuleCode = rules.TallyRulePrefix + "ruby/prefer-bundler-cache-mount"

PreferBundlerCacheMountRuleCode is the full rule code.

View Source 
const PreferGemfileBindMountsRuleCode = rules.TallyRulePrefix + "ruby/prefer-gemfile-bind-mounts"

PreferGemfileBindMountsRuleCode is the full rule code.

View Source 
const PreferNetworkNoneInstallRuleCode = rules.TallyRulePrefix + "ruby/prefer-network-none-install"

PreferNetworkNoneInstallRuleCode is the full rule code.

View Source 
const PreferSecretMountsForBuildCredentialsRuleCode = rules.TallyRulePrefix + "ruby/prefer-secret-mounts-for-build-credentials"

PreferSecretMountsForBuildCredentialsRuleCode is the full rule code.

View Source 
const RedundantBundlerInstallRuleCode = rules.TallyRulePrefix + "ruby/redundant-bundler-install"

RedundantBundlerInstallRuleCode is the full rule code.

View Source 
const SecretsInArgOrEnvRuleCode = rules.TallyRulePrefix + "ruby/secrets-in-arg-or-env"

SecretsInArgOrEnvRuleCode is the full rule code.

View Source 
const StatePathsNotWritableAsNonRootRuleCode = rules.TallyRulePrefix + "ruby/state-paths-not-writable-as-non-root"

StatePathsNotWritableAsNonRootRuleCode is the full rule code.

View Source 
const YJITNotEnabledOnSupportedRuntimeRuleCode = rules.TallyRulePrefix + "ruby/yjit-not-enabled-on-supported-runtime"

YJITNotEnabledOnSupportedRuntimeRuleCode is the full rule code.

Variables

This section is empty.

Functions

This section is empty.

Types

type AssetPrecompileWithoutDummyKeyRule added in v0.43.0 

type AssetPrecompileWithoutDummyKeyRule struct{}

AssetPrecompileWithoutDummyKeyRule flags Rails asset:precompile invocations that lack SECRET_KEY_BASE_DUMMY (and don't use the BuildKit secret-mount alternative).

func NewAssetPrecompileWithoutDummyKeyRule added in v0.43.0 

func NewAssetPrecompileWithoutDummyKeyRule() *AssetPrecompileWithoutDummyKeyRule

NewAssetPrecompileWithoutDummyKeyRule creates the rule.

func (*AssetPrecompileWithoutDummyKeyRule) Check added in v0.43.0 

func (r *AssetPrecompileWithoutDummyKeyRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*AssetPrecompileWithoutDummyKeyRule) Metadata added in v0.43.0 

func (r *AssetPrecompileWithoutDummyKeyRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type BootsnapPrecompileWithoutJ1Rule added in v0.43.0 

type BootsnapPrecompileWithoutJ1Rule struct{}

BootsnapPrecompileWithoutJ1Rule flags Ruby/Rails stages that run `bootsnap precompile` without `-j 1`, the QEMU-safe parallelism flag.

func NewBootsnapPrecompileWithoutJ1Rule added in v0.43.0 

func NewBootsnapPrecompileWithoutJ1Rule() *BootsnapPrecompileWithoutJ1Rule

NewBootsnapPrecompileWithoutJ1Rule creates the rule.

func (*BootsnapPrecompileWithoutJ1Rule) Check added in v0.43.0 

func (r *BootsnapPrecompileWithoutJ1Rule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*BootsnapPrecompileWithoutJ1Rule) Metadata added in v0.43.0 

func (r *BootsnapPrecompileWithoutJ1Rule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type DeprecatedBundlerInstallFlagsRule added in v0.43.0 

type DeprecatedBundlerInstallFlagsRule struct{}

DeprecatedBundlerInstallFlagsRule flags `bundle install` invocations using flags that Bundler 2.x deprecated (--without, --deployment, --path). They still work but emit deprecation notices on every CI build and are slated for removal in Bundler 3.

func NewDeprecatedBundlerInstallFlagsRule added in v0.43.0 

func NewDeprecatedBundlerInstallFlagsRule() *DeprecatedBundlerInstallFlagsRule

NewDeprecatedBundlerInstallFlagsRule creates the rule.

func (*DeprecatedBundlerInstallFlagsRule) Check added in v0.43.0 

func (r *DeprecatedBundlerInstallFlagsRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*DeprecatedBundlerInstallFlagsRule) Metadata added in v0.43.0 

func (r *DeprecatedBundlerInstallFlagsRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type EOLRubyVersionRule added in v0.43.0 

type EOLRubyVersionRule struct{}

EOLRubyVersionRule flags `FROM ruby:X.Y` references where X.Y is past upstream end-of-life, plus references resolved from ARG/.ruby-version.

func NewEOLRubyVersionRule added in v0.43.0 

func NewEOLRubyVersionRule() *EOLRubyVersionRule

NewEOLRubyVersionRule creates the rule.

func (*EOLRubyVersionRule) Check added in v0.43.0 

func (r *EOLRubyVersionRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*EOLRubyVersionRule) Metadata added in v0.43.0 

func (r *EOLRubyVersionRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type HealthcheckRailsUpEndpointRule added in v0.43.0 

type HealthcheckRailsUpEndpointRule struct{}

HealthcheckRailsUpEndpointRule flags Rails 7.1+ runtime stages without a HEALTHCHECK against `/up`, and HEALTHCHECKs that use curl/wget when Ruby's stdlib Net::HTTP would do the job without an extra apt install.

func NewHealthcheckRailsUpEndpointRule added in v0.43.0 

func NewHealthcheckRailsUpEndpointRule() *HealthcheckRailsUpEndpointRule

NewHealthcheckRailsUpEndpointRule creates the rule.

func (*HealthcheckRailsUpEndpointRule) Check added in v0.43.0 

func (r *HealthcheckRailsUpEndpointRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*HealthcheckRailsUpEndpointRule) Metadata added in v0.43.0 

func (r *HealthcheckRailsUpEndpointRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type JemallocInstalledButNotPreloadedRule 

type JemallocInstalledButNotPreloadedRule struct{}

JemallocInstalledButNotPreloadedRule flags final stages that install a jemalloc package without setting LD_PRELOAD or jemalloc-knob MALLOC_CONF.

func NewJemallocInstalledButNotPreloadedRule 

func NewJemallocInstalledButNotPreloadedRule() *JemallocInstalledButNotPreloadedRule

NewJemallocInstalledButNotPreloadedRule creates the rule.

func (*JemallocInstalledButNotPreloadedRule) Check 

func (r *JemallocInstalledButNotPreloadedRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*JemallocInstalledButNotPreloadedRule) Metadata 

func (r *JemallocInstalledButNotPreloadedRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type LeftoverBundlerCacheRule added in v0.43.0 

type LeftoverBundlerCacheRule struct{}

LeftoverBundlerCacheRule flags stages that run `bundle install` without the canonical Rails-generator cleanup of bundler-cache directories.

func NewLeftoverBundlerCacheRule added in v0.43.0 

func NewLeftoverBundlerCacheRule() *LeftoverBundlerCacheRule

NewLeftoverBundlerCacheRule creates the rule.

func (*LeftoverBundlerCacheRule) Check added in v0.43.0 

func (r *LeftoverBundlerCacheRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*LeftoverBundlerCacheRule) Metadata added in v0.43.0 

func (r *LeftoverBundlerCacheRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type MissingBundleDeploymentRule added in v0.43.0 

type MissingBundleDeploymentRule struct{}

MissingBundleDeploymentRule flags production-shaped Ruby stages that run `bundle install` without `BUNDLE_DEPLOYMENT=1` (or the equivalent `bundle config set deployment 'true'`).

func NewMissingBundleDeploymentRule added in v0.43.0 

func NewMissingBundleDeploymentRule() *MissingBundleDeploymentRule

NewMissingBundleDeploymentRule creates the rule.

func (*MissingBundleDeploymentRule) Check added in v0.43.0 

func (r *MissingBundleDeploymentRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*MissingBundleDeploymentRule) Metadata added in v0.43.0 

func (r *MissingBundleDeploymentRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type MissingBundleWithoutDevelopmentRule added in v0.43.0 

type MissingBundleWithoutDevelopmentRule struct{}

MissingBundleWithoutDevelopmentRule flags production-shaped Ruby stages that run `bundle install` without excluding the `development` gem group.

func NewMissingBundleWithoutDevelopmentRule added in v0.43.0 

func NewMissingBundleWithoutDevelopmentRule() *MissingBundleWithoutDevelopmentRule

NewMissingBundleWithoutDevelopmentRule creates the rule.

func (*MissingBundleWithoutDevelopmentRule) Check added in v0.43.0 

func (r *MissingBundleWithoutDevelopmentRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*MissingBundleWithoutDevelopmentRule) Metadata added in v0.43.0 

func (r *MissingBundleWithoutDevelopmentRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type PreferBundlerCacheMountRule added in v0.43.0 

type PreferBundlerCacheMountRule struct{}

PreferBundlerCacheMountRule flags `bundle install` invocations that don't use a BuildKit cache mount on `${BUNDLE_PATH}/cache`. Native-extension gems benefit most from the cache mount because they recompile from source on every cache-busted build.

func NewPreferBundlerCacheMountRule added in v0.43.0 

func NewPreferBundlerCacheMountRule() *PreferBundlerCacheMountRule

NewPreferBundlerCacheMountRule creates the rule.

func (*PreferBundlerCacheMountRule) Check added in v0.43.0 

func (r *PreferBundlerCacheMountRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*PreferBundlerCacheMountRule) Metadata added in v0.43.0 

func (r *PreferBundlerCacheMountRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type PreferGemfileBindMountsRule added in v0.43.0 

type PreferGemfileBindMountsRule struct{}

PreferGemfileBindMountsRule flags `COPY Gemfile Gemfile.lock` patterns that are followed by `bundle install`, suggesting the BuildKit `--mount=type=bind` form instead.

func NewPreferGemfileBindMountsRule added in v0.43.0 

func NewPreferGemfileBindMountsRule() *PreferGemfileBindMountsRule

NewPreferGemfileBindMountsRule creates the rule.

func (*PreferGemfileBindMountsRule) Check added in v0.43.0 

func (r *PreferGemfileBindMountsRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*PreferGemfileBindMountsRule) Metadata added in v0.43.0 

func (r *PreferGemfileBindMountsRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type PreferNetworkNoneInstallRule added in v0.43.0 

type PreferNetworkNoneInstallRule struct{}

PreferNetworkNoneInstallRule flags `bundle install` invocations on modern BuildKit Dockerfiles that don't use `RUN --network=none` for the install phase. The pattern is:

  1. RUN bundle cache --no-install --all-platforms (network required)
  2. RUN --network=none bundle install --local (network disabled)

This is an advisory rule that surfaces the pattern at moments when the user is already on BuildKit syntax. It never fires unless the pattern would actually work.

func NewPreferNetworkNoneInstallRule added in v0.43.0 

func NewPreferNetworkNoneInstallRule() *PreferNetworkNoneInstallRule

NewPreferNetworkNoneInstallRule creates the rule.

func (*PreferNetworkNoneInstallRule) Check added in v0.43.0 

func (r *PreferNetworkNoneInstallRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*PreferNetworkNoneInstallRule) Metadata added in v0.43.0 

func (r *PreferNetworkNoneInstallRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type PreferSecretMountsForBuildCredentialsRule added in v0.43.0 

type PreferSecretMountsForBuildCredentialsRule struct{}

PreferSecretMountsForBuildCredentialsRule is the constructive companion to tally/ruby/secrets-in-arg-or-env: when a Ruby Dockerfile declares a build-credential env var via ARG or ENV, this rule surfaces the BuildKit secret-mount alternative as the supported way to thread the credential through the build without leaking it into image cache key data or layer history.

func NewPreferSecretMountsForBuildCredentialsRule added in v0.43.0 

func NewPreferSecretMountsForBuildCredentialsRule() *PreferSecretMountsForBuildCredentialsRule

NewPreferSecretMountsForBuildCredentialsRule creates the rule.

func (*PreferSecretMountsForBuildCredentialsRule) Check added in v0.43.0 

func (r *PreferSecretMountsForBuildCredentialsRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*PreferSecretMountsForBuildCredentialsRule) Metadata added in v0.43.0 

func (r *PreferSecretMountsForBuildCredentialsRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type RedundantBundlerInstallRule added in v0.43.0 

type RedundantBundlerInstallRule struct{}

RedundantBundlerInstallRule flags `gem install bundler` invocations on stages whose base image is an official `ruby:*` image — Bundler 2.x already ships in the image, so reinstalling it is redundant.

func NewRedundantBundlerInstallRule added in v0.43.0 

func NewRedundantBundlerInstallRule() *RedundantBundlerInstallRule

NewRedundantBundlerInstallRule creates the rule.

func (*RedundantBundlerInstallRule) Check added in v0.43.0 

func (r *RedundantBundlerInstallRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*RedundantBundlerInstallRule) Metadata added in v0.43.0 

func (r *RedundantBundlerInstallRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type SecretsInArgOrEnvRule added in v0.43.0 

type SecretsInArgOrEnvRule struct{}

SecretsInArgOrEnvRule flags ARG/ENV instructions that declare known Rails-app secret env vars with non-placeholder values.

func NewSecretsInArgOrEnvRule added in v0.43.0 

func NewSecretsInArgOrEnvRule() *SecretsInArgOrEnvRule

NewSecretsInArgOrEnvRule creates the rule.

func (*SecretsInArgOrEnvRule) Check added in v0.43.0 

func (r *SecretsInArgOrEnvRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*SecretsInArgOrEnvRule) Metadata added in v0.43.0 

func (r *SecretsInArgOrEnvRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type StatePathsNotWritableAsNonRootRule added in v0.43.0 

type StatePathsNotWritableAsNonRootRule struct{}

StatePathsNotWritableAsNonRootRule flags Rails app stages that switch to a non-root USER but `COPY` application content without `--chown` (or a subsequent `chown -R`), leaving Rails state directories root-owned and unwritable to the runtime user.

func NewStatePathsNotWritableAsNonRootRule added in v0.43.0 

func NewStatePathsNotWritableAsNonRootRule() *StatePathsNotWritableAsNonRootRule

NewStatePathsNotWritableAsNonRootRule creates the rule.

func (*StatePathsNotWritableAsNonRootRule) Check added in v0.43.0 

func (r *StatePathsNotWritableAsNonRootRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*StatePathsNotWritableAsNonRootRule) Metadata added in v0.43.0 

func (r *StatePathsNotWritableAsNonRootRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

type YJITNotEnabledOnSupportedRuntimeRule added in v0.43.0 

type YJITNotEnabledOnSupportedRuntimeRule struct{}

YJITNotEnabledOnSupportedRuntimeRule flags final Ruby/Rails runtime stages on Ruby 3.3+ that don't enable YJIT — a near-free 15-30% CPU win on most Rails workloads.

func NewYJITNotEnabledOnSupportedRuntimeRule added in v0.43.0 

func NewYJITNotEnabledOnSupportedRuntimeRule() *YJITNotEnabledOnSupportedRuntimeRule

NewYJITNotEnabledOnSupportedRuntimeRule creates the rule.

func (*YJITNotEnabledOnSupportedRuntimeRule) Check added in v0.43.0 

func (r *YJITNotEnabledOnSupportedRuntimeRule) Check(input rules.LintInput) []rules.Violation

Check runs the rule.

func (*YJITNotEnabledOnSupportedRuntimeRule) Metadata added in v0.43.0 

func (r *YJITNotEnabledOnSupportedRuntimeRule) Metadata() rules.RuleMetadata

Metadata returns the rule metadata.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.