DockerMock: Pre-Build Detection of Dockerfile Faults through Mocking Instruction Execution

TL;DR

DockerMock is a novel pre-build analysis tool that detects Dockerfile faults by mocking instruction execution, significantly improving fault detection accuracy and reducing build failures in CI/CD pipelines.

Contribution

It introduces a context-based mocking approach for Dockerfile fault detection, balancing detection precision and recall, and demonstrates superior performance over existing tools.

Findings

DockerMock detects 68% of faults, outperforming hadolint and BuildKit.

Reduces the number of failed builds in CI/CD pipelines.

Effective in open source and student project datasets.

Abstract

Continuous Integration (CI) and Continuous Deployment (CD) are widely adopted in software engineering practice. In reality, the CI/CD pipeline execution is not yet reliably continuous because it is often interrupted by Docker build failures. However, the existing trial-and-error practice to detect faults is time-consuming. To timely detect Dockerfile faults, we propose a context-based pre-build analysis approach, named DockerMock, through mocking the execution of common Dockerfile instructions. A Dockerfile fault is declared when an instruction conflicts with the approximated and accumulated running context. By explicitly keeping track of whether the context is fuzzy, DockerMock strikes a good balance of detection precision and recall. We evaluated DockerMock with 53 faults in 41 Dockerfiles from open source projects on GitHub and 130 faults in 105 Dockerfiles from student course projects. On average, DockerMock detected 68.0% Dockerfile faults in these two datasets. While baseline hadolint detected 6.5%, and baseline BuildKit detected 60.5% without instruction execution. In the GitHub dataset, DockerMock reduces the number of builds to 47, outperforming that of hadolint (73) and BuildKit (74).