Is there a way to lint the Dockerfile?
Solution 1
Try:
- Either the Haskell Dockerfile Linter ("hadolint"), also available online.
hadolint
parses the Dockerfile into an AST and performs checking and validation based on best practice Docker images rules. It also uses Shellcheck to lint the Bash code onRUN
commands. - Or dockerlinter (node.js-based).
I've performed a simple test against of a simple Docker file with RUN
, ADD
, ENV
and CMD
. dockerlinter
was smart about grouping the same violation of rules together but it was not able to inspect as thorough as hadolinter
possibly due to the lack of Shellcheck
to statically analyze the Bash code.
Although dockerlinter
falls short in the scope it can lint, it does seem to be much easier to install. npm install -g dockerlinter
will do, while compiling hadolinter
requires a Haskell compiler and build environment that takes forever to compile.
$ hadolint ./api/Dockerfile
L9 SC2046 Quote this to prevent word splitting.
L11 SC2046 Quote this to prevent word splitting.
L8 DL3020 Use COPY instead of ADD for files and folders
L10 DL3020 Use COPY instead of ADD for files and folders
L13 DL3020 Use COPY instead of ADD for files and folders
L18 DL3020 Use COPY instead of ADD for files and folders
L21 DL3020 Use COPY instead of ADD for files and folders
L6 DL3008 Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
L6 DL3009 Delete the apt-get lists after installing something
L6 DL3015 Avoid additional packages by specifying `--no-install-recommends`
$ dockerlint ./api/Dockerfile
WARN: ADD instruction used instead of COPY on line 8, 10, 13, 18, 21
ERROR: ./api/Dockerfile failed.
Update in 2018. Since hadolint
has the official Docker repository now, you can get the executable quickly:
id=$(docker create hadolint/hadolint:latest)
docker cp "$id":/bin/hadolint .
docker rm "$id"
This is a statically compiled executable (according to ldd hadolint
), so it should run regardless of installed libraries. A reference on how the executable is built: https://github.com/hadolint/hadolint/blob/master/docker/Dockerfile.
Solution 2
If you have a RedHat subscription, you can access the "Linter for Dockerfile" application directly at https://access.redhat.com/labs/linterfordockerfile/; information about the application is located at https://access.redhat.com/labsinfo/linterfordockerfile
This Node.js application is also available on GitHub https://github.com/redhataccess/dockerfile_lint if you prefer to run it locally.
Solution 3
I use very successfully in my CI pipeline npm's dockerfile_lint. You can add or extend rules. Using the package.json
you can create different configs for the different jobs. There are both
Docker CLI
docker run -it --rm --privileged -v `pwd`:/root/ \
projectatomic/dockerfile-lint \
dockerfile_lint [-f Dockerfile]
docker run -it --rm --privileged -v `pwd`:/root/ \
-v /var/run/docker.sock:/var/run/docker.sock \
projectatomic/dockerfile-lint \
dockerfile_lint image <imageid>
and Atomic CLI available
atomic run projectatomic/dockerfile-lint
atomic run projectatomic/dockerfile-lint image <imageid>
Also you can lint your images for tagging.
Solution 4
I created dockerfile-validator as an extension for VS Code, which uses the dockerfile-lint mentioned in a previous answer. By default it uses dockerfile-lint default rules, but in VS code User Settings (dockerfile-validator.rulefile.path) you can specify a path to a custom rule file with your own coding standards.
Related videos on Youtube
eloone
A living consciousness in this brilliant Universe. Also Software Engineer. Currently: Javascript and Java.
Updated on August 29, 2022Comments
-
eloone over 1 year
If a Dockerfile is written with mistakes for example:
CMD ["service", "--config", "/etc/service.conf]
(missing quote)Is there a way to lint it to detect such mistake before building?
-
Ryne Everett about 9 years
-
-
Devy about 8 years@LuísBianchin Yes, it's made available by the same author - as long as you trust pasting your Dockerfile to a 3rd party, sure.
-
The Godfather over 4 years@Devy why wouldn't you trust it? Do you store secrets inside
Dockerfile
itself? -
nekketsuuu about 4 yearsYou can download hadolint executables from its release page. On macOS, hadolint also can be installed using Homebrew:
brew install hadolint