Is there a way to lint the Dockerfile?

Asked 27/1, 2015 at 23:36 Answered 10/7, 2020 at 23:5

If a Dockerfile is written with mistakes for example:

CMD ["service", "--config", "/etc/service.conf] (missing quote)

Is there a way to lint it to detect such mistake before building?

Jennine answered 27/1, 2015 at 23:36 Comment(2)

github.com/redhataccess/dockerfile_lint – Phylis 28/1, 2015 at 6:28

I use very successfully in Buddy pipeline dockerfile-lint. Dockerfile lint action should always come as the first action in pipelines. Some of the rules were inspired by Dockerfile documentation. Configuration is very simple and involves selecting the Dockerfile from the filesystem. – Gonfalonier 1/4, 2020 at 7:31

Try:

Either the Haskell Dockerfile Linter ("hadolint"), also available online. hadolint parses the Dockerfile into an AST and performs checking and validation based on best practice Docker images rules. It also uses Shellcheck to lint the Bash code on RUN commands.
Or dockerlinter (node.js-based).

I've performed a simple test against of a simple Docker file with RUN, ADD, ENV and CMD. dockerlinter was smart about grouping the same violation of rules together but it was not able to inspect as thorough as hadolinter possibly due to the lack of Shellcheck to statically analyze the Bash code.

Although dockerlinter falls short in the scope it can lint, it does seem to be much easier to install. npm install -g dockerlinter will do, while compiling hadolinter requires a Haskell compiler and build environment that takes forever to compile.

$ hadolint ./api/Dockerfile
L9 SC2046 Quote this to prevent word splitting.
L11 SC2046 Quote this to prevent word splitting.
L8 DL3020 Use COPY instead of ADD for files and folders
L10 DL3020 Use COPY instead of ADD for files and folders
L13 DL3020 Use COPY instead of ADD for files and folders
L18 DL3020 Use COPY instead of ADD for files and folders
L21 DL3020 Use COPY instead of ADD for files and folders
L6 DL3008 Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
L6 DL3009 Delete the apt-get lists after installing something
L6 DL3015 Avoid additional packages by specifying `--no-install-recommends`

$ dockerlint ./api/Dockerfile
WARN:  ADD instruction used instead of COPY on line 8, 10, 13, 18, 21
ERROR: ./api/Dockerfile failed.

Update in 2018. Since hadolint has the official Docker repository now, you can get the executable quickly:

id=$(docker create hadolint/hadolint:latest)
docker cp "$id":/bin/hadolint .
docker rm "$id"

or you can use this command

docker container run --rm -i hadolint/hadolint hadolint - < Dockerfile

This is a statically compiled executable (according to ldd hadolint), so it should run regardless of installed libraries. A reference on how the executable is built: https://github.com/hadolint/hadolint/blob/master/docker/Dockerfile.

Somnambulism answered 12/1, 2016 at 19:19 Comment(3)

@LuísBianchin Yes, it's made available by the same author - as long as you trust pasting your Dockerfile to a 3rd party, sure. – Somnambulism 19/1, 2016 at 21:6

@Somnambulism why wouldn't you trust it? Do you store secrets inside Dockerfile itself? – Galagalactagogue 23/10, 2019 at 14:44

You can download hadolint executables from its release page. On macOS, hadolint also can be installed using Homebrew: brew install hadolint – Middleman 28/2, 2020 at 2:30

If you have a RedHat subscription, you can access the "Linter for Dockerfile" application directly at https://access.redhat.com/labs/linterfordockerfile/; information about the application is located at https://access.redhat.com/labsinfo/linterfordockerfile

This Node.js application is also available on GitHub https://github.com/redhataccess/dockerfile_lint if you prefer to run it locally.

Thielen answered 11/2, 2015 at 7:9 Comment(0)

I use very successfully in my CI pipeline npm's dockerfile_lint. You can add or extend rules. Using the package.json you can create different configs for the different jobs. There are both

Docker CLI

docker run -it --rm --privileged -v `pwd`:/root/ \
         projectatomic/dockerfile-lint \
         dockerfile_lint [-f Dockerfile]

docker run -it --rm --privileged -v `pwd`:/root/  \
         -v /var/run/docker.sock:/var/run/docker.sock \
         projectatomic/dockerfile-lint \       
         dockerfile_lint  image <imageid>

and Atomic CLI available

 atomic run projectatomic/dockerfile-lint

 atomic run projectatomic/dockerfile-lint image <imageid>

Also you can lint your images for tagging.

Myelencephalon answered 9/8, 2016 at 8:23 Comment(0)

I created dockerfile-validator as an extension for VS Code, which uses the dockerfile-lint mentioned in a previous answer. By default it uses dockerfile-lint default rules, but in VS code User Settings (dockerfile-validator.rulefile.path) you can specify a path to a custom rule file with your own coding standards.

Bloom answered 2/6, 2018 at 12:58 Comment(0)

Recently, I cam across dockerfilelint which is NodeJS based.

dockerfilelint Dockerfile

Supports following rules and rudimentary CMD checks

required_params
uppercase_commands
from_first
invalid_line
sudo_usage
apt-get_missing_param
apt-get_recommends
apt-get-upgrade
apt-get-dist-upgrade
apt-get-update_require_install
apkadd-missing_nocache_or_updaterm
apkadd-missing-virtual
invalid_port
invalid_command
expose_host_port
label_invalid
missing_tag
latest_tag
extra_args
missing_args
add_src_invalid
add_dest_invalid
invalid_workdir
invalid_format
apt-get_missing_rm
deprecated_in_1.13

Hadolint seems like a better option but this may suffice for simple needs. Also, Github's super-linter uses this.

Sarcophagus answered 10/7, 2020 at 23:5 Comment(0)

-1

I'm not too familiar with go but it looks like you can simply call the Parse method as is done in the test suite here. If that does not return an err then your lint passes. I'm assuming that's trivial to expose to a script or something to call during development.

Carbaugh answered 28/1, 2015 at 6:22 Comment(0)

Recommended topics

Hot tags