Haskell Dockerfile Linter (hadolint) is a popular static analysis tool (linter) for your Dockerfiles. It is available for Mac, Windows and Linux.
Reasons to use a linter tool for your Dockerfiles are many:
- Use best practices for Docker images
- Speed up your feedback loop when writing Dockerfiles since the linter can find syntax errors and security vulnerabilities before building your image
- It can check style violations
- Can improve readability and maintainability of the Dockerfiles
- Use them in your CI/CD pipelines
- Deeper knowledge about how to write better Dockerfiles
Here is an example on how you could test drive the hadolint tool.
First we need to install it on our Ubuntu machine (more alternatives is available if you use another platform).
# Download hadolint
wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
# Download SHA256 checksum
wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64.sha256
# Validate the checksum
sha256sum -c hadolint-Linux-x86_64.sha256
# Make the file executable
chmod +x ./hadolint-Linux-x86_64
# Rename the file
mv hadolint-Linux-x86_64 hadolint
Lets create a Dockerfile to test the tool with now, add the following content to a Dockerfile.
FROM debian
RUN export node_version="0.10" \
&& apt-get update && apt-get -y install nodejs="$node_verion"
COPY package.json usr/src/app
RUN cd /usr/src/app \
&& npm install node-static
EXPOSE 80000
CMD ["npm", "start"]
Now validate the Dockerfile with this command.
./hadolint Dockerfile
You should get something like this as a result.
Each line is structured in this way, <Filename>:<Line number> <Rule identifier> <Severity>: <Description>
. So the first line, Dockerfile:1 DL3006 warning: Always tag the version of an image explicitly
, can be interpreted like this:
- Line one of the Dockerfile,
Dockerfile:1
- triggered the rule
DL3006
- and the severity of the rule is
warning
- and has the description,
Always tag the version of an image explicitly
To get deeper knowledge you can sometimes use the rule identifier, DL3006, to look it up in the rule section, not all are listed there, however this is a great source to read more about the given issue.
Of course it's also possible to configure the tool for different projects by creating a hadolint.yml configuration file. With this file you could for example ignore rules, define trusted repositories and more.
There is also an online version of the hadolint tool here if you don't want to try it out on your machine.
To setup the the tool with GitHub Actions you can use the hadolint action.
name: Lint Dockerfile
on: push
jobs:
linter:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Lint Dockerfile
uses: hadolint/hadolint-action@master
with:
dockerfile: "Dockerfile"
As you can see the tool is easy to get started with and it will increase the quality of your Dockerfiles in seconds. Hadolint is not the only linter out there for Dockerfiles. The Docker Engine includes one also, but more for checking basic errors. Then there is also a linting tool from Snyk that probably is more focused on security issues.
Happy linting!