Linter and validator for Dockerfile

dockerfilelint is an node module that analyzes a Dockerfile and looks for common traps, mistakes and helps enforce best practices.

Installation

Global installation with npm package manager.

npm install -g dockerfilelint

Testing

Start unit tests with npm test , yarn run test , or docker-compose -f docker-compose.test.yml up

Running

From the command line:

./bin/dockerfilelint <path/to/Dockerfile>

Command Line options

Usage: dockerfilelint [files | content..] [options] Options: -o, --output Specify the format to use for output of linting results. Valid values are `json` or `cli` (default). [string] -j, --json Output linting results as JSON, equivalent to `-o json`. [boolean] -v, --version Show version number [boolean] -h, --help Show help [boolean] Examples: dockerfilelint Dockerfile Lint a Dockerfile in the current working directory dockerfilelint test/example/* -j Lint all files in the test/example directory and output results in JSON dockerfilelint 'FROM latest' Lint the contents given as a string on the command line dockerfilelint < Dockerfile Lint the contents of Dockerfile via stdin

Configuring

You can configure the linter by creating a .dockerfilelintrc with the following syntax:

rules: uppercase_commands: off

The keys for the rules can be any file in the /lib/reference.js file. At this time, it's only possible to disable rules. They are all enabled by default.

The following rules are supported:

required_params uppercase_commands from_first invalid_line sudo_usage apt-get_missing_param apt-get_recommends apt- get -upgrade apt- get -dist-upgrade apt- get -update_require_install apkadd-missing_nocache_or_updaterm apkadd-missing-virtual invalid_port invalid_command expose_host_port label_invalid missing_tag latest_tag extra_args missing_args add_src_invalid add_dest_invalid invalid_workdir invalid_format apt-get_missing_rm deprecated_in_1.13

From a Docker container

(Replace the pwd /Dockerfile with the path to your local Dockerfile)

docker run -v `pwd`/Dockerfile:/Dockerfile replicated/dockerfilelint /Dockerfile

Online

If you don't want to install this locally you can try it out on https://fromlatest.io.

Checks performed

FROM

This should be the first command in the Dockerfile

This should be the first command in the Dockerfile Base image should specify a tag

Base image should specify a tag Base image should not use latest tag

Base image should not use latest tag Support FROM scratch without a tag

Support without a tag Support the FROM <image>@<digest> syntax

Support the syntax Allow config to specify "allowed" base layers

MAINTAINER

Should be followed by exactly 1 parameter (@ sign)

RUN

sudo is not included in the command

sudo is not included in the command apt-get [install | upgrade | remove] should include a -y flag

apt-get [install | upgrade | remove] should include a -y flag apt-get install commands should include a --no-install-recommends flag

apt-get install commands should include a flag apt-get install commands should be paired with a rm -rf /var/lib/apt/lists/* in the same layer

apt-get install commands should be paired with a in the same layer Avoid running apt-get upgrade or apt-get dist-upgrade

Avoid running or Never run apt-get update without apt-get install on the same line

Never run without on the same line apk add commands should include a --no-cache flag or be paired with an --update flag with rm -rf /var/cache/apk/* in the same layer

apk add commands should include a flag or be paired with an flag with in the same layer apk add support for --virtual flag

apk add support for --virtual flag handle best practices for yum operations and cleanup

CMD

Only a single CMD layer is allowed

Only a single layer is allowed Better handling of escaped quotes

Better handling of escaped quotes Detect exec format with expected variable substitution

LABEL

Format should be key=value

EXPOSE

Only the container port should be listed

Only the container port should be listed All ports should be exposed in a single cache layer (line)

All ports should be exposed in a single cache layer (line) The same port number should not be exposed multiple times

The same port number should not be exposed multiple times Exposed ports should be numeric and in the accepted range

ENV

Format of ENV

Format of Best practice of only using a single ENV line to reduce cache layer count

ADD

Command should have at least 2 parameters

Command should have at least 2 parameters Source command(s) cannot be absolute or relative paths that exist outside of the current build context

Source command(s) cannot be absolute or relative paths that exist outside of the current build context Commands with wildcards or multiple sources require that destination is a directory, not a file

Commands with wildcards or multiple sources require that destination is a directory, not a file If an ADD command could be a COPY , then COPY is preferred

If an command could be a , then is preferred Using ADD to fetch remote files is discouraged because they cannot be removed from the layer

COPY

Implement checking (similar to ADD)

Implement checking (similar to ADD) Do not COPY multiple files on a single command to best use cache

ENTRYPOINT

Support

VOLUME

Format

Format Any build steps after VOLUME is declare should not change VOLUME contents

Any build steps after VOLUME is declare should not change VOLUME contents If JSON format, double quotes are required

USER

Should be followed by exactly 1 parameter

WORKDIR

Validate that it has exactly 1 parameter

Validate that it has exactly 1 parameter WORKDIR can only expand variables previously set in ENV commands

ARG

Support

Support Prevent redefining the built in ARGs (proxy)

ONBUILD

Support

STOPSIGNAL

Validate input

Validate input Only present one time

HEALTHCHECK

No additional parameters when only parameter is NONE

No additional parameters when only parameter is Options before CMD are valid

Options before are valid Options before CMD have additional arguments

Misc