MCO-1333: Validate OCL Containerfiles by eric200428 · Pull Request #6187 · openshift/machine-config-operator

eric200428 · 2026-06-12T15:07:50Z

- What I did

Added Containerfile validation to catch syntax errors before the build job starts, so users don't have to wait for builds to fail
Validates basic stuff like making sure there's a FROM instruction and that commands like COPY/RUN have the arguments they need
The imagebuilder parser doesn't understand some buildah syntax (heredocs, certain ARG formats), so I added logic to detect those cases and just warn instead of failing
Validation runs on the rendered Containerfile after template merging, catching issues from both user input and our template logic
Using the https://github.com/openshift/imagebuilder/tree/master/dockerfile/parser package

- How to verify it

For in-cluster testing look at the Jira card comment
https://redhat.atlassian.net/browse/MCO-1333?focusedCommentId=17267022
or run the unit test

go test ./pkg/controller/build/buildrequest/...

Summary by CodeRabbit

Chores
- Updated Go toolchain to 1.25.5 and refreshed project dependencies.
New Features
- Added Containerfile/Dockerfile syntax validation during build-request creation and rendering, including checks for required FROM and supported instructions; invalid user inputs may be warned on, while invalid generated output fails validation.
Tests
- Added unit tests covering validation edge cases, including empty input, missing/invalid instructions, and unknown-instruction detection.

- Add validInstructions map with all valid Dockerfile instructions - Update validateInstruction to check instruction validity before checking args - Remove overly broad 'Unknown instruction:' from isKnownAdvancedSyntaxError - Add test cases for unknown instruction validation

Update go.mod, go.sum, and vendor/ for github.com/openshift/imagebuilder dependency required for Containerfile validation.

openshift-merge-bot · 2026-06-12T15:07:53Z

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

openshift-ci-robot · 2026-06-12T15:07:55Z

@eric200428: This pull request references MCO-1333 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

- What I did

Added Containerfile validation to catch syntax errors before the build job starts, so users don't have to wait for builds to fail

Validates basic stuff like making sure there's a FROM instruction and that commands like COPY/RUN have the arguments they need

The imagebuilder parser doesn't understand some buildah syntax (heredocs, certain ARG formats), so I added logic to detect those cases and just warn instead of failing

Validation runs on the rendered Containerfile after template merging, catching issues from both user input and our template logic

Using the https://github.com/openshift/imagebuilder/tree/master/dockerfile/parser package

- How to verify it

For in-cluster testing look at the Jira card comment
https://redhat.atlassian.net/browse/MCO-1333?focusedCommentId=17267022
or run the unit test
go test ./pkg/controller/build/buildrequest/...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

coderabbitai · 2026-06-12T15:08:07Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 8b259024-89f2-41ca-93fa-45e91ebc9b0b

📥 Commits

Reviewing files that changed from the base of the PR and between 6b44be5 and a9bb484.

📒 Files selected for processing (1)

pkg/controller/build/buildrequest/buildrequest.go

Walkthrough

Updates Go toolchain to 1.25.5 and refreshes dependency graph broadly across container runtimes, OpenAPI tooling, sigstore verification, observability, and standard library modules. Adds Containerfile/Dockerfile syntax validation to build request construction and rendering, with tests covering malformed inputs, missing FROM instructions, argument validation, and rejection of unknown instructions.

Changes

Dependency Updates

Layer / File(s)	Summary
Go toolchain and direct requirements `go.mod`	Go toolchain updated from 1.25.3 to 1.25.5; direct dependencies bumped for spf13/cobra, spf13/pflag, golang.org/x/net, and golang.org/x/time.
Container runtime and security stack `go.mod`	Indirect upgrades for containerd API/errdefs/log/ttrpc, opencontainers/cgroups/selinux, moby/buildkit, and sigstore components (fulcio/protobuf-specs/rekor).
OpenAPI, gRPC, and observability infrastructure `go.mod`	go-openapi modules, grpc-gateway/v2, OpenTelemetry, genproto/googleapis, and gRPC infrastructure dependencies refreshed.
Docker, utility, and standard library dependencies `go.mod`	Docker/CoreOS modules, gofrs/flock, go-containerregistry, sigstore/sigstore, Prometheus, linting utilities, go.uber.org/zap, golang.org/x/*, and google.golang.org/protobuf upgraded.

Containerfile Syntax Validation

Layer / File(s)	Summary
Validation data structures and parser import `pkg/controller/build/buildrequest/buildrequest.go`	Dockerfile parser imported; `instructionRequirements` map defines arguments required per instruction; `validInstructions` whitelist enumerates recognized Containerfile instruction mnemonics.
Core validation functions `pkg/controller/build/buildrequest/buildrequest.go`	`validateContainerfileSyntax` orchestrates parsing and node validation; `validateBasicSyntax` enforces at least one FROM instruction; `isKnownParserLimitation` identifies tolerable parser errors; `validateInstruction` checks instruction recognition and required arguments via node Next/Attributes fields.
Integration into build request lifecycle `pkg/controller/build/buildrequest/buildrequest.go`	`newBuildRequest` validates user-provided Containerfile and logs warning on failure without aborting; `renderContainerfile` validates the fully rendered Containerfile and returns error on validation failure.
Validation test coverage `pkg/controller/build/buildrequest/buildrequest_test.go`	`TestValidateContainerfileSyntax` covers empty input, missing/invalid FROM, and argument-less RUN/COPY/WORKDIR with valid examples; `TestValidateContainerfileInBuildRequest` exercises validation via ConfigMaps() integration; `TestValidateUnknownInstruction` validates rejection of unknown instructions with proper error messages.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Line 405 logs parser errors directly with %v, which may include sensitive Containerfile content (passwords, tokens, API keys) if parsing fails on lines containing such data.	Sanitize parser errors before logging, or log only the error type without including the full error message that may contain Containerfile content from sensitive lines.
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	The custom check asks to review "Ginkgo test code" but the repository and PR tests use standard Go testing (*testing.T), not Ginkgo. The check instructions are not applicable to this codebase.	Clarify if the check should apply to Go tests in general or only Ginkgo tests. If general Go tests, the standard Go test patterns in this PR are mostly consistent with existing tests but lack meaningful assertion messages.

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references the Jira issue (MCO-1333) and clearly summarizes the main change: adding Containerfile validation to the build workflow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR adds standard Go unit tests (not Ginkgo tests). The custom check specifically targets "Ginkgo test names" using It(), Describe(), Context(), When() patterns. Since no Ginkgo tests are presen...
Microshift Test Compatibility	✅ Passed	This PR adds only standard Go unit tests (using *testing.T), not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests, so it does not apply to this PR.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only standard Go unit tests (TestValidate* functions using testing.T), not Ginkgo e2e tests. The SNO compatibility check applies exclusively to Ginkgo e2e tests with patterns like It()...
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds Containerfile syntax validation and dependency updates only; no deployment manifests, pod affinity, scheduling constraints, or topology-dependent scheduling logic is introduced.
Ote Binary Stdout Contract	✅ Passed	The PR modifies a library package (buildrequest) with no process-level stdout writes. All logging uses klog, no fmt.Print calls to stdout, and no OTE suite configuration. This code is not a binary...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. The PR only adds standard Go unit tests using func Test(t testing.T) pattern in buildrequest_test.go, which are out of scope for this IPv6/disconnected network compatib...
No-Weak-Crypto	✅ Passed	No weak crypto (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB) usage, custom crypto implementations, or insecure secret comparisons found in modified files: go.mod, buildrequest.go, buildrequest_test.go.
Container-Privileges	✅ Passed	This PR adds Containerfile validation logic without introducing any privileged container configurations, host access settings, or capability escalations in Kubernetes manifests.

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci · 2026-06-12T15:08:27Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: eric200428
Once this PR has been reviewed and has the lgtm label, please assign umohnani8 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/build/buildrequest/buildrequest.go`:
- Around line 45-57: The instructionRequirements map currently lacks entries for
several non-empty instructions accepted by validInstructions, so
validateInstruction/validateContainerfileSyntax won't reject bare forms; add
required-argument entries for "CMD", "ENTRYPOINT", "SHELL", "STOPSIGNAL",
"ONBUILD", and "HEALTHCHECK" to instructionRequirements (e.g., "CMD":"a command
or JSON array", "ENTRYPOINT":"a command or JSON array", "SHELL":"a command
array", "STOPSIGNAL":"a signal name or number", "ONBUILD":"a trigger
instruction", and for "HEALTHCHECK" indicate allowed forms such as "NONE" or "a
command and options") so validateInstruction enforces non-empty arguments for
these instructions and fails fast.
- Around line 392-401: The current bypass in validateContainerfileSyntax uses
isKnownAdvancedSyntaxError to match generic substrings and returns nil for any
match, which lets malformed ENV/LABEL pass; update isKnownAdvancedSyntaxError
(and its callers in validateContainerfileSyntax where parser.Parse error is
handled) to switch from deny-list substring matches to an explicit allow-list of
only the specific advanced constructs you intend to accept (e.g.,
heredoc/continued-line tokens or exact parser error codes/messages that
represent valid advanced syntax), and ensure errors from parseNameVal-related
messages (the ENV/LABEL "can't find = in" / "must be of the form: name=value")
are not allowed and still cause Parse to return an error so malformed ENV/LABEL
fail the preflight check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 47750454-b1e3-415a-88bd-481085815484

📥 Commits

Reviewing files that changed from the base of the PR and between ae65f6d and c37716f.

⛔ Files ignored due to path filters (297)

go.sum is excluded by !**/*.sum
vendor/github.com/asaskevich/govalidator/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/arrays.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/converter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/numerics.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/patterns.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/validator.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/asaskevich/govalidator/wercker.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/context.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/exponential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v4/tries.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/backoff.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/error.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/exponential.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/retry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/ticker.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cenkalti/backoff/v5/timer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/ecc/goldilocks/curve.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/internal/sha3/xor_unaligned.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/ed25519/point.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/cloudflare/circl/sign/sign.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/containerd/api/types/mount.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
vendor/github.com/containerd/containerd/api/types/mount.proto is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/ttrpc/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/ttrpc/client.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/containerd/ttrpc/server.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify_other.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/daemon/sdnotify_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/daemon/watchdog.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/dbus/dbus.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/dbus/methods.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/dbus/set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/dbus/subscription.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/dbus/subscription_set.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/journal/journal.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/journal/journal_unix.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/unit/deserialize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/unit/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/unit/escape.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/unit/option.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/coreos/go-systemd/v22/unit/serialize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/docker/docker/api/types/versions/compare.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/asymmetric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/cipher/cbc_hmac.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/cipher/concat_kdf.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/cipher/ecdh_es.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/cipher/key_wrap.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/crypter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/encoding.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/decode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/encode.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/indent.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/scanner.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/stream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/json/tags.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/jwe.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/jwk.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/jws.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/opaque.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/shared.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/signing.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-jose/go-jose/v4/symmetric.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/.editorconfig is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/analyzer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/debug.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/fixer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/flatten.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/flatten_name.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/flatten_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/debug/debug.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/normalize/normalize.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/operations/operations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/replace/replace.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/schutils/flatten_schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/keys.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/internal/flatten/sortref/sort_ref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/mixin.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/analysis/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/.editorconfig is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/api.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/auth.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/middleware.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/parsing.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/errors/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.cliff.toml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonpointer/pointer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/.editorconfig is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/NOTICE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/internal/normalize_url.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/jsonreference/reference.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/.travis.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/loaders.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/loads/spec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/bytestream.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/client_auth_info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/client_operation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/client_request.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/client_response.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/constants.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/csv.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/csv_options.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/discard.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/headers.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/interfaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/request.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/statuses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/text.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/values.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/runtime/xml.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/cache.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/contact_info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/debug.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/embed.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/expander.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/external_docs.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/header.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/info.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/items.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/license.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/normalizer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/normalizer_nonwindows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/normalizer_windows.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/operation.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/parameter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/path_item.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/paths.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/properties.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/ref.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/resolver.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/response.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/responses.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/schema.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/schema_loader.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/security_scheme.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/spec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/swagger.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/tag.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/url_go19.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/validations.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/spec/xml_object.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/.codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/.gitignore is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/CODE_OF_CONDUCT.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/CONTRIBUTORS.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/bson.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/date.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/default.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/duration.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/internal/bsonlite/codec.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/internal/bsonlite/lite.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/mongo.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/time.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/strfmt/ulid.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.codecov.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.golangci.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/.mockery.yml is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/SECURITY.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/cmd_utils.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/cmdutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/format.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/sizeof.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv/type_constraints.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/conv_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/convert_types.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/errors.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/file.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils/path.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/fileutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work is excluded by !**/*.work, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/go.work.sum is excluded by !**/*.sum, !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/initialism_index.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname/name_provider.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonname_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/README.md is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/ifaces.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/ifaces/registry_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/registry.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/adapter.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/lexer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/pool.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/register.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/adapters/stdlib/json/writer.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/concat.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/json.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils/ordered_map.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/jsonutils_iface.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/LICENSE is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/doc.go is excluded by !**/vendor/**, !vendor/**
vendor/github.com/go-openapi/swag/loading/errors.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (3)

go.mod
pkg/controller/build/buildrequest/buildrequest.go
pkg/controller/build/buildrequest/buildrequest_test.go

coderabbitai · 2026-06-12T16:02:14Z

+	result, err := parser.Parse(strings.NewReader(containerfile))
+	if err != nil {
+		// For rendered templates, advanced syntax is expected
+		// Only fail on obvious syntax errors
+		if !isKnownAdvancedSyntaxError(err) {
+			return fmt.Errorf("failed to parse Containerfile: %w", err)
+		}
+		// Log but don't fail for advanced syntax
+		klog.V(4).Infof("Containerfile uses advanced syntax, skipping detailed parser validation: %v", err)
+		return nil


⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In github.com/openshift/imagebuilder v1.2.21 dockerfile/parser, what inputs produce the errors "can't find = in" and "must be of the form: name=value"? Do malformed ARG/ENV instructions emit those same messages?

💡 Result:

In the Dockerfile parser used by openshift/imagebuilder (which relies on the standard Dockerfile syntax parser), the errors "can't find = in [X]" and "must be of the form: name=value" occur when the parser encounters a line (typically ENV or LABEL) that it expects to follow the key=value format but fails to find the required equals sign within the expected token [1][2][3]. This error is almost always caused by malformed syntax in ENV or LABEL instructions, rather than ARG [1][4]. Common causes include: 1. Unexpected spaces: If you write ENV KEY = VALUE (with a space before the =), the parser treats the = as a separate token and fails to associate it correctly, often reporting the failure on the next word [2][5]. 2. Trailing characters or comments: If you add a comment at the end of an ENV or LABEL line using #, the parser may attempt to treat that comment as part of the instruction. If it encounters a word in the comment that lacks an =, it will fail [1][6]. 3. Unquoted values with special characters: If an environment variable value contains spaces or special characters that are not properly quoted, the parser may break the line into multiple tokens and attempt to interpret them as key=value pairs, eventually failing when it finds a token without an = [7][3][8]. 4. Line continuation issues: If a backslash () is used incorrectly, or if there is trailing whitespace after the backslash, it can disrupt the parser's view of the next line, leading to parsing errors [1][5]. Regarding malformed ARG/ENV instructions: The error message is characteristic of ENV and LABEL instructions, which strictly enforce the key=value syntax (or the older space-separated syntax, which is often source of confusion when mixed) [9][10][1]. ARG instructions behave differently; while they also support key=value, they are generally more lenient or throw different errors (e.g., "ARG requires exactly one argument") when formatted incorrectly [4]. Therefore, malformed ARG instructions do not typically emit these specific "can't find =" messages [4].

Citations:

1: https://stackoverflow.com/questions/68351805/error-response-from-daemon-failed-to-parse-dockerfile-syntax-error-cant-fin

2: https://stackoverflow.com/questions/68957046/error-response-from-daemon-failed-to-parse-dockerfile-syntax-error-cant-fin

3: Dockerfile scan error on Env entries containing tab characters aquasecurity/trivy#9494

4: False positive flagged if quotes used when replacing variables in an ARG, ENV, or LABEL rcjsuen/dockerfile-utils#36

5: https://stackoverflow.com/questions/57486507/docker-cant-find-in-env-must-be-of-the-form-name-value

6: Comments nested in ENV or LABEL instructions delimited by an equals sign are incorrectly flagged as a syntax error rcjsuen/dockerfile-language-server#167

7: Can't build images with labels that contains space inside of quotes moby/moby#31697

8: Syntax error - can't find = in "-a." with features enabled devcontainers/cli#454

9: manage-dockerfile: use the original form of ENV/LABEL builder#134

10: [release-4.3] Bug 1821861: manage-dockerfile: use the original form of ENV/LABEL builder#149

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="pkg/controller/build/buildrequest/buildrequest.go" # Show the exact helper + its callsites around the reported lines sed -n '350,430p' "$FILE" | cat -n echo "---- search for isKnownAdvancedSyntaxError definition ----" rg -n "func isKnownAdvancedSyntaxError|isKnownAdvancedSyntaxError\(" "$FILE" echo "---- show surrounding definition if found ----" # Print a bit more around the function definition # (rg line number output used by awk to slice) line_def=$(rg -n "func isKnownAdvancedSyntaxError" "$FILE" | head -n1 | cut -d: -f1 || true) if [[ -n "${line_def:-}" ]]; then start=$((line_def-40)) end=$((line_def+80)) sed -n "${start},${end}p" "$FILE" | cat -n fi

Repository: openshift/machine-config-operator

Length of output: 7899

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="pkg/controller/build/buildrequest/buildrequest.go" echo "---- locate instructionRequirements ----" rg -n "instructionRequirements" "$FILE" echo "---- show around instructionRequirements ----" line=$(rg -n "instructionRequirements" "$FILE" | head -n1 | cut -d: -f1) start=$((line-30)); end=$((line+120)) sed -n "${start},${end}p" "$FILE" | cat -n echo "---- search for validateInstruction usage / other syntax validation ----" rg -n "validateContainerfileSyntax|validateBasicSyntax|validateInstruction|validInstructions" "$FILE"

Repository: openshift/machine-config-operator

Length of output: 7771

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="pkg/controller/build/buildrequest/buildrequest.go" echo "---- inspect validateInstruction fully (incl. instructionRequirements usage) ----" sed -n '430,560p' "$FILE" | cat -n echo "---- locate containerfileToConfigMap + renderedContainerfile flow ----" rg -n "containerfileToConfigMap|renderContainerfile|validateContainerfileSyntax" "$FILE" echo "---- show around containerfileToConfigMap ----" line=$(rg -n "func \$br buildRequestImpl\$ containerfileToConfigMap" "$FILE" | head -n1 | cut -d: -f1) start=$((line-60)); end=$((line+220)) sed -n "${start},${end}p" "$FILE" | cat -n echo "---- search for other isKnownAdvancedSyntaxError references ----" rg -n "isKnownAdvancedSyntaxError" "$FILE" echo "---- search repo for these exact substrings (any other suppression) ----" rg -n "can't find = in|must be of the form: name=value" . || true echo "---- inspect embedded Containerfile templates for heredoc/ENV/LABEL patterns ----" ls -la pkg/controller/build/buildrequest/assets || true for f in pkg/controller/build/buildrequest/assets/*; do echo "### $f"; sed -n '1,120p' "$f" | cat -n; echo; done

Repository: openshift/machine-config-operator

Length of output: 31915

🏁 Script executed:

#!/bin/bash set -euo pipefail # Inspect the exact parser code that emits the two error strings. FILE1="vendor/github.com/openshift/imagebuilder/dockerfile/parser/line_parsers.go" FILE2="vendor/github.com/moby/buildkit/frontend/dockerfile/parser/line_parsers.go" echo "---- openshift/imagebuilder parser: lines around 'can't find = in' ----" rg -n "can't find = in|must be of the form: name=value" "$FILE1" line1=$(rg -n "can't find = in" "$FILE1" | head -n1 | cut -d: -f1) start=$((line1-40)); end=$((line1+40)) sed -n "${start},${end}p" "$FILE1" | cat -n echo echo "---- openshift/imagebuilder parser: search for instruction types that use this error ----" rg -n "Must be of the form: name=value|can't find = in" "$FILE1" echo echo "---- buildkit frontend parser: lines around 'can't find = in' ----" rg -n "can't find = in|must be of the form: name=value" "$FILE2" line2=$(rg -n "can't find = in" "$FILE2" | head -n1 | cut -d: -f1) start2=$((line2-40)); end2=$((line2+40)) sed -n "${start2},${end2}p" "$FILE2" | cat -n

Repository: openshift/machine-config-operator

Length of output: 5935

🏁 Script executed:

#!/bin/bash set -euo pipefail FILE="vendor/github.com/openshift/imagebuilder/dockerfile/parser/line_parsers.go" echo "---- locate parseArg / ARG parsing ----" rg -n "parseArg\\b|ARG" "$FILE" # show around parseArg if present line=$(rg -n "func parseArg" "$FILE" | head -n1 | cut -d: -f1 || true) if [[ -n "${line:-}" ]]; then start=$((line-60)); end=$((line+120)) sed -n "${start},${end}p" "$FILE" | cat -n fi echo "---- also search entire vendor parser for the two error substrings ----" rg -n "Syntax error - can't find = in|must be of the form: name=value" "vendor/github.com/openshift/imagebuilder/dockerfile/parser"

Repository: openshift/machine-config-operator

Length of output: 117

🏁 Script executed:

#!/bin/bash set -euo pipefail PARSER_DIR="vendor/github.com/openshift/imagebuilder/dockerfile/parser" echo "---- search for ARG parsing entrypoints / directive constants ----" rg -n "ARG\b|commandArg|parseArg|parse.*Arg|parse.*ARG" "$PARSER_DIR" echo "---- search for common ARG error messages ----" rg -n "ARG.*(exactly|one|argument|must have|requires)|must be of the form|can't find = in" "$PARSER_DIR" echo "---- search for ENV/LABEL parser usage (parseEnv/parseLabel) ----" rg -n "parseEnv\\b|parseLabel\\b" "$PARSER_DIR" echo "---- inspect dispatcher that maps instruction token to parseX ----" # Look for the function that dispatches based on instruction name rg -n "switch .*\\{|case .*ARG|case .*ENV|case .*LABEL" "$PARSER_DIR" | head -n 50

Repository: openshift/machine-config-operator

Length of output: 144

🏁 Script executed:

#!/bin/bash set -euo pipefail PARSER_DIR="vendor/github.com/openshift/imagebuilder/dockerfile/parser" echo "---- list vendored parser files ----" find "$PARSER_DIR" -maxdepth 2 -type f | sort | sed -n '1,200p' echo "---- search for ARG tokens anywhere in vendored parser (case-sensitive) ----" rg -n "\\bARG\\b" "$PARSER_DIR" || true echo "---- search for ENV/LABEL dispatch targets (case-sensitive) ----" rg -n "\\bENV\\b|\\bLABEL\\b" "$PARSER_DIR" || true echo "---- search for 'parse' functions that mention NameVal or key/value parsing ----" rg -n "parseNameVal|parseEnv|parseLabel|name=value|can't find = in|must be of the form: name=value" "$PARSER_DIR" || true echo "---- broad search for substring 'arg' (case-insensitive) to locate ARG parsing ----" rg -n -i "arg" "$PARSER_DIR" | head -n 50 || true echo "---- inspect any dispatcher/switch over instruction names ----" rg -n "switch|case" "$PARSER_DIR" | head -n 80

Repository: openshift/machine-config-operator

Length of output: 5129

🏁 Script executed:

#!/bin/bash set -euo pipefail PARSER_DIR="vendor/github.com/openshift/imagebuilder/dockerfile/parser" FILE="$PARSER_DIR/parser.go" LP="$PARSER_DIR/line_parsers.go" echo "---- show dispatcher mapping for command.Arg/Env/Label ----" rg -n "command\\.Arg|parseNameOrNameVal|command\\.Env|command\\.Label" "$FILE" sed -n '210,270p' "$FILE" | cat -n echo "---- find parseNameOrNameVal in line_parsers.go ----" rg -n "func parseNameOrNameVal" "$LP" line=$(rg -n "func parseNameOrNameVal" "$LP" | head -n1 | cut -d: -f1) start=$((line-40)); end=$((line+140)) sed -n "${start},${end}p" "$LP" | cat -n echo "---- search for specific error strings in line_parsers.go ----" rg -n "can't find = in|must be of the form: name=value" "$LP" echo "---- show nearby comment about allowed assignments (parseNameVal section) ----" # show around line 230-270 where parseNameVal comment starts sed -n '220,280p' "$LP" | cat -n

Repository: openshift/machine-config-operator

Length of output: 11638

Narrow the parser-error bypass in validateContainerfileSyntax

isKnownAdvancedSyntaxError() currently matches generic substrings ("can't find = in" / "must be of the form: name=value") and then returns nil, skipping all AST/instruction validation (pkg/controller/build/buildrequest/buildrequest.go:392-401).

In github.com/openshift/imagebuilder/dockerfile/parser, those exact errors are produced by parseNameVal() and are used for ENV and LABEL parsing (not ARG), so malformed ENV/LABEL can slip through the preflight check.

Replace this broad deny-list substring matching with an allow-list approach that tolerates only the specific advanced/heredoc constructs you intend to accept, while still failing invalid ENV/LABEL syntax.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pkg/controller/build/buildrequest/buildrequest.go` around lines 392 - 401, The current bypass in validateContainerfileSyntax uses isKnownAdvancedSyntaxError to match generic substrings and returns nil for any match, which lets malformed ENV/LABEL pass; update isKnownAdvancedSyntaxError (and its callers in validateContainerfileSyntax where parser.Parse error is handled) to switch from deny-list substring matches to an explicit allow-list of only the specific advanced constructs you intend to accept (e.g., heredoc/continued-line tokens or exact parser error codes/messages that represent valid advanced syntax), and ensure errors from parseNameVal-related messages (the ENV/LABEL "can't find = in" / "must be of the form: name=value") are not allowed and still cause Parse to return an error so malformed ENV/LABEL fail the preflight check.

Source: Coding guidelines

eric200428 · 2026-06-12T18:01:33Z

/retest

eric200428 · 2026-06-16T20:04:41Z

/retest

openshift-ci · 2026-06-16T20:10:10Z

@eric200428: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

cheesesashimi · 2026-06-17T16:22:40Z

+
+// validateBasicSyntax performs basic sanity checks that don't require parsing
+func (br buildRequestImpl) validateBasicSyntax(containerfile string) error {
+	// Check for at least one FROM instruction


thought (non-blocking): We could achieve the same effect using a regex:

// This matches all lines that begin with "FROM", case-insensitive. Buildah and Podman accept both `FROM image` and `from image`. var basicSyntaxRegex = regexp.MustCompile(`(?m)(?i)^FROM`) func (br buildRequestImpl) validateBasicSyntax(containerfile string) error { if matches := basicSyntaxRegex.FindAllStringSubmatchIndex(containerfile, -1); matches == nil { return fmt.Errorf("containerfile must contain at least one FROM instruction") } return nil }

cheesesashimi · 2026-06-17T16:30:43Z

+	}
+
+	for _, pattern := range knownPatterns {
+		if strings.Contains(errMsg, pattern) {


thought (non-blocking): Typically, one shouldn't match errors in this way. However, given that the parser returns an error whose concrete type is general-purpose, this approach is fine here.

cheesesashimi · 2026-06-17T16:51:41Z

+}
+
+// Valid Dockerfile instructions (comprehensive list including multi-stage build and advanced features)
+var validInstructions = map[string]bool{


suggestion: A version of this map exists here: https://github.com/openshift/imagebuilder/blob/master/dockerfile/command/command.go. Why not import that package and use that map instead? ~~You would need to change strings.ToUpper() to strings.ToLower(), however.~~ EDIT: These values are already lower-cased by the parsing library, so you don't have to call strings.ToLower() on them.

cheesesashimi · 2026-06-17T16:58:43Z

+// instructionRequirements maps Containerfile instructions that MUST have arguments to their requirement descriptions
+// Instructions not in this map either don't require arguments or have optional arguments
+var instructionRequirements = map[string]string{
+	"FROM":       "a base image",


suggestion: You could also use the individual command definitions found in https://github.com/openshift/imagebuilder/blob/master/dockerfile/command/command.go as the map keys, e.g.:

var instructionRequirements = map[string]string{ command.Add: "source and destination paths", command.Arg: "a variable name", // ... }

It would also be a good readability improvement to sort this map literal alphabetically, e.g.:

var instructionRequirements = map[string]string{ "ADD": "source and destination paths", "ARG": "a variable name", // ... }

cheesesashimi · 2026-06-17T17:10:41Z

+	}
+
+	// NONE is valid without additional arguments
+	if instruction == "HEALTHCHECK" && node.Next != nil && strings.EqualFold(node.Next.Value, "NONE") {


suggestion: If you import https://github.com/openshift/imagebuilder/blob/master/dockerfile/command/command.go, you could change this to:

if instruction == command.Healthcheck // ...

eric200428 added 2 commits June 11, 2026 14:25

Update dependencies for imagebuilder parser

08d97ea

Update go.mod, go.sum, and vendor/ for github.com/openshift/imagebuilder dependency required for Containerfile validation.

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 12, 2026

openshift-ci Bot requested review from cheesesashimi and ptalgulk01 June 12, 2026 15:08

update lines to match linting

c37716f

coderabbitai Bot reviewed Jun 12, 2026

View reviewed changes

updated dependencies

70c65da

eric200428 added 2 commits June 16, 2026 13:50

Add required argument validation for instructions

6b44be5

Made linting changes

a9bb484

cheesesashimi reviewed Jun 17, 2026

View reviewed changes

Conversation

eric200428 commented Jun 12, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

openshift-merge-bot Bot commented Jun 12, 2026

Uh oh!

openshift-ci-robot commented Jun 12, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coderabbitai Bot commented Jun 12, 2026 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Pre-merge checks failed

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Uh oh!

openshift-ci Bot commented Jun 12, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

coderabbitai Bot Jun 12, 2026

Choose a reason for hiding this comment

Uh oh!

eric200428 commented Jun 12, 2026

Uh oh!

eric200428 commented Jun 16, 2026

Uh oh!

openshift-ci Bot commented Jun 16, 2026

Uh oh!

cheesesashimi Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

cheesesashimi Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

cheesesashimi Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

cheesesashimi Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

cheesesashimi Jun 17, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

eric200428 commented Jun 12, 2026 •

edited by coderabbitai Bot

Loading

openshift-ci-robot commented Jun 12, 2026 •

edited by openshift-ci Bot

Loading

coderabbitai Bot commented Jun 12, 2026 •

edited by openshift-ci Bot

Loading

cheesesashimi Jun 17, 2026 •

edited

Loading