Expand description
Static validation of Windows package-manager usage in parsed Dockerfiles.
The nanoserver Windows base image is intentionally minimal: it ships no
PowerShell, no choco, no winget, and only the bare cmd.exe shell.
Users unfamiliar with Windows-container constraints routinely write
FROM mcr.microsoft.com/windows/nanoserver:ltsc2022
RUN choco install nginx -ywhich then fails deep inside the backend with an unhelpful
'choco' is not recognized as an internal or external command error. This
module catches that case at parse time and emits an actionable error
pointing users at servercore (which has PowerShell) or a multi-stage
build where the package install happens in a servercore stage and the
artifacts are COPY --from=...’d into the final nanoserver stage.
§Scope (first iteration)
- Detects
chocoandwingetused as the effective RUN command, handling:- Exec form:
RUN ["choco", "install", "nginx"] - Shell form:
RUN choco install nginx - Via
cmd /c:RUN cmd /c choco install nginx - Via
PowerShell:RUN powershell -Command "choco install nginx"
- Exec form:
- Flags only when the stage’s base image is
nanoserver.servercore(which bundlesPowerShell) and non-Windows bases are skipped. - Multi-stage Dockerfiles are validated per stage; each stage’s own base
image drives its verdict. A
servercorebuilder stage that runschocoandCOPY --from=builders into a finalnanoserverstage is the recommended remediation and passes validation.
Future iterations may auto-inject the multi-stage rewrite; for now the validator’s job is to detect + error clearly.
Enums§
- Deps
Error - Errors surfaced by the Windows dependency validator.
Functions§
- validate_
dockerfile - Walk every stage in
dockerfileand error if anyRUNon ananoserver-based stage useschocoorwinget.