feat: Scan Dockerfile for typos (#422)

Author: sdn4z

README.md

@@ -70,7 +70,7 @@ docker run elementsinteractive/twyn --help
 | `--dependency-file`      | `str` (path)                                       | Dependency file to analyze. Supported: `requirements.txt`, `poetry.lock`, `uv.lock`, etc.     |
 | `--dependency`           | `str` (multiple allowed)                           | Dependency to analyze directly. Can be specified multiple times.                              |
 | `--selector-method`      | `all`, `first-letter`, `nearby-letter`             | Method for selecting possible typosquats.                                                     |
-| `--package-ecosystem`    | `pypi`, `npm`                                      | Package ecosystem for analysis.                                                               |
+| `--package-ecosystem`    | `pypi`, `npm`, `dockerhub`                                      | Package ecosystem for analysis.                                                               |
 | `-v`                     | flag                                               | Enable info-level logging.                                                                    |
 | `-vv`                    | flag                                               | Enable debug-level logging.                                                                   |
 | `--no-cache`             | flag                                               | Disable use of trusted packages cache. Always fetch from the source.                          |
@@ -170,6 +170,7 @@ The following dependency file formats are supported:
 - `package-lock.json` (v1, v2, v3)
 - `yarn.lock` (v1, v2)
 - `pnpm-lock.yaml` (v9)
+- `Dockerfile`
 
 ### Check dependencies introduced through the CLI
 
@@ -226,6 +227,7 @@ logging_level="debug"
 allowlist=["my_package"]
 pypi_source="https://mirror-with-trusted-dependencies.com/file-pypi.json"
 npm_source="https://mirror-with-trusted-dependencies.com/file-npm.json"
+dockerhub_source="https://mirror-with-trusted-dependencies.com/file-dh.json"
 ```
 
 The file format for each reference is as follows:

src/twyn/base/constants.py

@@ -32,6 +32,7 @@
     "package-lock.json": dependency_parser.PackageLockJsonParser,
     "pnpm-lock.yaml": dependency_parser.PnpmLockParser,
     "yarn.lock": dependency_parser.YarnLockParser,
+    "Dockerfile": dependency_parser.DockerfileParser,
 }
 """Mapping of dependency file names to their parser classes."""
 

src/twyn/cli.py

@@ -74,7 +74,7 @@ def entry_point() -> None:
 )
 @click.option(
     "--package-ecosystem",
-    type=click.Choice(["pypi", "npm"]),
+    type=click.Choice(["pypi", "npm", "dockerhub"]),
     default=None,
     help="Package ecosystem for dependency analysis (pypi or npm).",
 )
@@ -129,6 +129,11 @@ def entry_point() -> None:
     type=str,
     help="Alternative npm source URL to use for fetching trusted packages.",
 )
+@click.option(
+    "--dockerhub-source",
+    type=str,
+    help="Alternative DockerHub source URL to use for fetching trusted packages.",
+)
 def run(  # noqa: C901, PLR0912
     config: str,
     dependency_file: tuple[str],
@@ -144,6 +149,7 @@ def run(  # noqa: C901, PLR0912
     recursive: bool,
     pypi_source: str | None,
     npm_source: str | None,
+    dockerhub_source: str | None,
 ) -> NoReturn:
     if vv:
         logger.setLevel(logging.DEBUG)
@@ -175,6 +181,7 @@ def run(  # noqa: C901, PLR0912
             recursive=recursive,
             pypi_source=pypi_source,
             npm_source=npm_source,
+            dockerhub_source=dockerhub_source,
         )
     except TwynError as e:
         raise CliError(str(e)) from e

src/twyn/config/config_handler.py

@@ -42,6 +42,8 @@ class TwynConfiguration:
     """Alternative PyPI source URL."""
     npm_source: str | None
     """Alternative npm source URL."""
+    dockerhub_source: str | None
+    """Alternative DockerHub source URL."""
     use_cache: bool
     """Whether to use cached trusted packages."""
     package_ecosystem: PackageEcosystems | None
@@ -64,6 +66,8 @@ class ReadTwynConfiguration:
     """Optional alternative PyPI source URL."""
     npm_source: str | None = None
     """Optional alternative npm source URL."""
+    dockerhub_source: str | None = None
+    """Optional alternative DockerHub source URL."""
     use_cache: bool | None = None
     """Optional setting for using cached trusted packages."""
     package_ecosystem: PackageEcosystems | None = None
@@ -87,6 +91,7 @@ def resolve_config(  # noqa: C901, PLR0912
         recursive: bool | None = None,
         pypi_source: str | None = None,
         npm_source: str | None = None,
+        dockerhub_source: str | None = None,
     ) -> TwynConfiguration:
         """Resolve the configuration for Twyn.
 
@@ -141,12 +146,21 @@ def resolve_config(  # noqa: C901, PLR0912
         else:
             final_npm_source = None
 
+        # Determine final dockerhub_source from CLI, config file, or default
+        if dockerhub_source is not None:
+            final_dockerhub_source = dockerhub_source
+        elif read_config.dockerhub_source is not None:
+            final_dockerhub_source = read_config.dockerhub_source
+        else:
+            final_dockerhub_source = None
+
         return TwynConfiguration(
             dependency_files=dependency_files or read_config.dependency_files or set(),
             selector_method=final_selector_method,
             allowlist=read_config.allowlist,
             pypi_source=final_pypi_source,
             npm_source=final_npm_source,
+            dockerhub_source=final_dockerhub_source,
             use_cache=final_use_cache,
             package_ecosystem=package_ecosystem or read_config.package_ecosystem,
             recursive=final_recursive,
@@ -196,6 +210,7 @@ def _get_read_config(self, toml: TOMLDocument) -> ReadTwynConfiguration:
             allowlist=allowlist,
             pypi_source=twyn_config_data.get("pypi_source"),
             npm_source=twyn_config_data.get("npm_source"),
+            dockerhub_source=twyn_config_data.get("dockerhub_source"),
             use_cache=twyn_config_data.get("use_cache"),
             package_ecosystem=twyn_config_data.get("package_ecosystem"),
             recursive=twyn_config_data.get("recursive"),

src/twyn/dependency_managers/managers.py

@@ -3,6 +3,7 @@
 
 from twyn.dependency_managers.exceptions import NoMatchingDependencyManagerError
 from twyn.dependency_parser.parsers.constants import (
+    DOCKERFILE,
     PACKAGE_LOCK_JSON,
     PNPM_LOCK_YAML,
     POETRY_LOCK,
@@ -11,9 +12,11 @@
     YARN_LOCK,
 )
 from twyn.trusted_packages.managers.base import TrustedPackagesProtocol
+from twyn.trusted_packages.managers.trusted_dockerhub_packages_manager import TrustedDockerHubPackageManager
 from twyn.trusted_packages.managers.trusted_npm_packages_manager import TrustedNpmPackageManager
 from twyn.trusted_packages.managers.trusted_pypi_packages_manager import TrustedPackages
 from twyn.trusted_packages.references.base import AbstractPackageReference
+from twyn.trusted_packages.references.top_dockerhub_reference import TopDockerHubReference
 from twyn.trusted_packages.references.top_npm_reference import TopNpmReference
 from twyn.trusted_packages.references.top_pypi_reference import TopPyPiReference
 
@@ -52,15 +55,27 @@ def get_alternative_source(self, sources: dict[str, str]) -> str | None:
     dependency_files={PACKAGE_LOCK_JSON, YARN_LOCK, PNPM_LOCK_YAML},
     trusted_packages_manager=TrustedNpmPackageManager,
 )
+
 pypi_dependency_manager = DependencyManager(
     name="pypi",
     trusted_packages_source=TopPyPiReference,
     dependency_files={UV_LOCK, POETRY_LOCK, REQUIREMENTS_TXT},
     trusted_packages_manager=TrustedPackages,
 )
 
+dockerhub_dependency_manager = DependencyManager(
+    name="dockerhub",
+    trusted_packages_source=TopDockerHubReference,
+    dependency_files={DOCKERFILE},
+    trusted_packages_manager=TrustedDockerHubPackageManager,
+)
+
 
-DEPENDENCY_MANAGERS: list[DependencyManager] = [pypi_dependency_manager, npm_dependency_manager]
+DEPENDENCY_MANAGERS: list[DependencyManager] = [
+    pypi_dependency_manager,
+    npm_dependency_manager,
+    dockerhub_dependency_manager,
+]
 """List of available dependency manager classes."""
 
 PACKAGE_ECOSYSTEMS = {x.name for x in DEPENDENCY_MANAGERS}

src/twyn/dependency_parser/__init__.py

@@ -1,5 +1,6 @@
 """Dependency parsers."""
 
+from twyn.dependency_parser.parsers.dockerfile_parser import DockerfileParser
 from twyn.dependency_parser.parsers.lock_parser import PoetryLockParser, UvLockParser
 from twyn.dependency_parser.parsers.package_lock_json import PackageLockJsonParser
 from twyn.dependency_parser.parsers.pnpm_lock_parser import PnpmLockParser
@@ -13,4 +14,5 @@
     "PackageLockJsonParser",
     "YarnLockParser",
     "PnpmLockParser",
+    "DockerfileParser",
 ]

src/twyn/dependency_parser/parsers/constants.py

@@ -15,3 +15,6 @@
 
 YARN_LOCK = "yarn.lock"
 """Filename for Yarn package lock files."""
+
+DOCKERFILE = "Dockerfile"
+"""Filename for Docker container definition files."""

src/twyn/dependency_parser/parsers/dockerfile_parser.py

@@ -0,0 +1,168 @@
+import logging
+import re
+
+from typing_extensions import override
+
+from twyn.dependency_parser.parsers.abstract_parser import AbstractParser
+from twyn.dependency_parser.parsers.constants import DOCKERFILE
+
+logger = logging.getLogger("twyn")
+
+
+class DockerfileParser(AbstractParser):
+    """Parser for Dockerfile dependencies (FROM instructions)."""
+
+    # Pattern for variable substitution in Dockerfile
+    VARIABLE_PATTERN = re.compile(
+        r"\$\{(?P<name>[a-zA-Z_][a-zA-Z0-9_]*)(?::-(?P<default>[^}$]+))?\}|\$(?P<short_name>[a-zA-Z_][a-zA-Z0-9_]*)"
+    )
+
+    def __init__(self, file_path: str = DOCKERFILE) -> None:
+        super().__init__(file_path)
+
+    @override
+    def parse(self) -> set[str]:
+        """Parse Dockerfile and return base image names from FROM instructions.
+
+        Handles variable substitution and excludes stage names from previous FROM instructions.
+        """
+        with self.file_handler.open("r") as fp:
+            lines = fp.readlines()
+
+        # Handle line continuations (\)
+        raw_instructions = self._handle_line_continuations(lines)
+
+        # Parse instructions and resolve variables
+        return self._extract_base_images(raw_instructions)
+
+    def _handle_line_continuations(self, lines: list[str]) -> list[str]:
+        """Handle Dockerfile line continuations with backslash."""
+        raw_instructions = []
+        buffer = ""
+
+        for line in lines:
+            line = line.strip()  # noqa: PLW2901
+            if not line or line.startswith("#"):
+                continue
+
+            if line.endswith("\\"):
+                buffer += line[:-1] + " "
+            else:
+                buffer += line
+                raw_instructions.append(buffer)
+                buffer = ""
+
+        return raw_instructions
+
+    def _extract_base_images(self, instructions: list[str]) -> set[str]:
+        """Extract base images from Dockerfile instructions."""
+        env: dict[str, str] = {}
+        images: set[str] = set()
+        stages: set[str] = set()
+
+        for instruction in instructions:
+            parts = instruction.split(None, 1)
+            if len(parts) < 2:
+                continue
+
+            cmd = parts[0].upper()
+            args = parts[1]
+
+            if cmd in ("ARG", "ENV"):
+                self._parse_variable_assignment(args, env)
+            elif cmd == "FROM":
+                self._parse_from_instruction(args, env, images, stages)
+        return images
+
+    def _parse_variable_assignment(self, args: str, env: dict[str, str]) -> None:
+        """Parse ARG or ENV instruction and update environment variables."""
+        if "=" in args:
+            # Handle KEY=VALUE pairs
+            for part in args.split():
+                if "=" in part:
+                    key, val = part.split("=", 1)
+                    env[key] = self._resolve_variables(val.strip("\"'"), env)
+        else:
+            # Handle KEY VALUE pairs (space-separated)
+            parts = args.split(None, 1)
+            if parts:
+                key = parts[0]
+                val = parts[1] if len(parts) > 1 else ""
+                env[key] = self._resolve_variables(val.strip("\"'"), env)
+
+    def _parse_from_instruction(self, args: str, env: dict[str, str], images: set[str], stages: set[str]) -> None:
+        """Parse FROM instruction and extract base image."""
+        # Strip flags like --platform=...
+        clean_args = re.sub(r"--\S+", "", args).strip().split()
+        if not clean_args:
+            return
+
+        image_name = clean_args[0]
+        resolved_image = self._resolve_variables(image_name, env)
+
+        if resolved_image not in stages:
+            image_name_only = self._extract_image_name(resolved_image)
+
+            # Ignore the special 'scratch' no-op image
+            if image_name_only.lower() != "scratch":
+                images.add(image_name_only)
+
+        for i, part in enumerate(clean_args):
+            if part.lower() == "as" and i + 1 < len(clean_args):
+                stages.add(clean_args[i + 1])
+
+    def _extract_image_name(self, image_with_tag: str) -> str:
+        """Extract image name without tag/version/digest from a Docker image reference.
+
+        Examples:
+            ubuntu:20.04 -> ubuntu
+            node:16-alpine -> node
+            registry.hub.docker.com/library/nginx:latest -> registry.hub.docker.com/library/nginx
+            localhost:5000/myapp:v1.0 -> localhost:5000/myapp
+            nginx@sha256:23q... -> nginx
+        """
+        # Strip off the digest FIRST
+        if "@" in image_with_tag:
+            image_with_tag = image_with_tag.split("@")[0]
+
+        # Find the last ':' in the string
+        last_colon_idx = image_with_tag.rfind(":")
+
+        if last_colon_idx == -1:
+            # No colon found, return as-is
+            return image_with_tag
+
+        potential_tag = image_with_tag[last_colon_idx + 1 :]
+        name_part = image_with_tag[:last_colon_idx]
+
+        if (
+            potential_tag.isdigit() and "/" not in potential_tag and "/" not in name_part.split("/")[-1]
+            if name_part
+            else True
+        ):
+            # This looks like a registry with port, don't strip it
+            return image_with_tag
+
+        # Otherwise, strip the tag
+        return name_part
+
+    def _resolve_variables(self, text: str, env: dict[str, str]) -> str:
+        """Resolve variable substitutions in text using environment variables."""
+
+        def replace(match: re.Match[str]) -> str:
+            name = match.group("name") or match.group("short_name")
+            default = match.group("default")
+            return env.get(name, default if default is not None else match.group(0))
+
+        result = text
+        iterations = 0
+        max_iterations = 20  # Circuit breaker for recursive variables like PATH=$PATH
+
+        while iterations < max_iterations:
+            new_result = self.VARIABLE_PATTERN.sub(replace, result)
+            if new_result == result:
+                break
+            result = new_result
+            iterations += 1
+
+        return result