hadolint - Dockerfile linter

Haskell Dockerfile Linter (hadolint) is a popular static analysis tool (linter) for your Dockerfiles. It is available for Mac, Windows and Linux.

Reasons to use a linter tool for your Dockerfiles are many:

• Use best practices for Docker images
• Speed up your feedback loop when writing Dockerfiles since the linter can find syntax errors and security vulnerabilities before building your image
• It can check style violations
• Can improve readability and maintainability of the Dockerfiles
• Use them in your CI/CD pipelines
• Deeper knowledge about how to write better Dockerfiles

Here is an example on how you could test drive the hadolint tool.

First we need to install it on our Ubuntu machine (more alternatives is available if you use another platform).

# Download hadolint
wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
# Download SHA256 checksum
wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64.sha256
# Validate the checksum
sha256sum -c hadolint-Linux-x86_64.sha256 
# Make the file executable
chmod +x ./hadolint-Linux-x86_64
# Rename the file
mv hadolint-Linux-x86_64 hadolint

Lets create a Dockerfile to test the tool with now, add the following content to a Dockerfile.

FROM debian
RUN export node_version="0.10" \
&& apt-get update && apt-get -y install nodejs="$node_verion"
COPY package.json usr/src/app
RUN cd /usr/src/app \
&& npm install node-static

EXPOSE 80000
CMD ["npm", "start"]

Now validate the Dockerfile with this command.

./hadolint Dockerfile 

You should get something like this as a result.

Each line is structured in this way, <Filename>:<Line number> <Rule identifier> <Severity>: <Description>. So the first line, Dockerfile:1 DL3006 warning: Always tag the version of an image explicitly, can be interpreted like this:

• Line one of the Dockerfile, Dockerfile:1
• triggered the rule DL3006
• and the severity of the rule is warning
• and has the description, Always tag the version of an image explicitly

To get deeper knowledge you can sometimes use the rule identifier, DL3006, to look it up in the rule section, not all are listed there, however this is a great source to read more about the given issue.

Of course it's also possible to configure the tool for different projects by creating a hadolint.yml configuration file. With this file you could for example ignore rules, define trusted repositories and more.

There is also an online version of the hadolint tool here if you don't want to try it out on your machine.

To setup the the tool with GitHub Actions you can use the hadolint action.

name: Lint Dockerfile

on: push

jobs:
  linter:
    runs-on: ubuntu-latest
    steps:

      - uses: actions/checkout@v2

      - name: Lint Dockerfile
        uses: hadolint/hadolint-action@master
        with:
          dockerfile: "Dockerfile"

As you can see the tool is easy to get started with and it will increase the quality of your Dockerfiles in seconds. Hadolint is not the only linter out there for Dockerfiles. The Docker Engine includes one also, but more for checking basic errors. Then there is also a linting tool from Snyk that probably is more focused on security issues.

Happy linting!