Is there a way to lint the Dockerfile?

Question

If a Dockerfile is written with mistakes for example:

CMD ["service", "--config", "/etc/service.conf] (missing quote)

Is there a way to lint it to detect such mistake before building?

Answer 1

Try:

• Either the Haskell Dockerfile Linter ("hadolint"), also available online. hadolint parses the Dockerfile into an AST and performs checking and validation based on best practice Docker images rules. It also uses Shellcheck to lint the Bash code on RUN commands.
• Or dockerlinter (node.js-based).

I've performed a simple test against of a simple Docker file with RUN, ADD, ENV and CMD. dockerlinter was smart about grouping the same violation of rules together but it was not able to inspect as thorough as hadolinter possibly due to the lack of Shellcheck to statically analyze the Bash code.

Although dockerlinter falls short in the scope it can lint, it does seem to be much easier to install. npm install -g dockerlinter will do, while compiling hadolinter requires a Haskell compiler and build environment that takes forever to compile.

$ hadolint ./api/Dockerfile
L9 SC2046 Quote this to prevent word splitting.
L11 SC2046 Quote this to prevent word splitting.
L8 DL3020 Use COPY instead of ADD for files and folders
L10 DL3020 Use COPY instead of ADD for files and folders
L13 DL3020 Use COPY instead of ADD for files and folders
L18 DL3020 Use COPY instead of ADD for files and folders
L21 DL3020 Use COPY instead of ADD for files and folders
L6 DL3008 Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
L6 DL3009 Delete the apt-get lists after installing something
L6 DL3015 Avoid additional packages by specifying `--no-install-recommends`

$ dockerlint ./api/Dockerfile
WARN:  ADD instruction used instead of COPY on line 8, 10, 13, 18, 21
ERROR: ./api/Dockerfile failed.

Update in 2018. Since hadolint has the official Docker repository now, you can get the executable quickly:

id=$(docker create hadolint/hadolint:latest)
docker cp "$id":/bin/hadolint .
docker rm "$id"

or you can use this command

docker container run --rm -i hadolint/hadolint hadolint - < Dockerfile

This is a statically compiled executable (according to ldd hadolint), so it should run regardless of installed libraries. A reference on how the executable is built: https://github.com/hadolint/hadolint/blob/master/docker/Dockerfile.

Answer 2

If you have a RedHat subscription, you can access the "Linter for Dockerfile" application directly at https://access.redhat.com/labs/linterfordockerfile/; information about the application is located at https://access.redhat.com/labsinfo/linterfordockerfile

This Node.js application is also available on GitHub https://github.com/redhataccess/dockerfile_lint if you prefer to run it locally.

Answer 3

I use very successfully in my CI pipeline npm's dockerfile_lint. You can add or extend rules. Using the package.json you can create different configs for the different jobs. There are both

Docker CLI

docker run -it --rm --privileged -v `pwd`:/root/ \
         projectatomic/dockerfile-lint \
         dockerfile_lint [-f Dockerfile]

docker run -it --rm --privileged -v `pwd`:/root/  \
         -v /var/run/docker.sock:/var/run/docker.sock \
         projectatomic/dockerfile-lint \       
         dockerfile_lint  image <imageid>

and Atomic CLI available

 atomic run projectatomic/dockerfile-lint

 atomic run projectatomic/dockerfile-lint image <imageid>

Also you can lint your images for tagging.