Haskell Dockerfile Linter (hadolint) is a popular static analysis tool (linter) for your Dockerfiles. It is available for Mac, Windows and Linux.
Reasons to use a linter tool for your Dockerfiles are many:
- Use best practices for Docker images
- Speed up your feedback loop when writing Dockerfiles since the linter can find syntax errors and security vulnerabilities before building your image
- It can check style violations
- Can improve readability and maintainability of the Dockerfiles
- Use them in your CI/CD pipelines
- Deeper knowledge about how to write better Dockerfiles
Here is an example on how you could test drive the hadolint tool.
First we need to install it on our Ubuntu machine (more alternatives is available if you use another platform).
# Download hadolint wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 # Download SHA256 checksum wget https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64.sha256 # Validate the checksum sha256sum -c hadolint-Linux-x86_64.sha256 # Make the file executable chmod +x ./hadolint-Linux-x86_64 # Rename the file mv hadolint-Linux-x86_64 hadolint
Lets create a Dockerfile to test the tool with now, add the following content to a Dockerfile.
FROM debian RUN export node_version="0.10" \ && apt-get update && apt-get -y install nodejs="$node_verion" COPY package.json usr/src/app RUN cd /usr/src/app \ && npm install node-static EXPOSE 80000 CMD ["npm", "start"]
Now validate the Dockerfile with this command.
You should get something like this as a result.
Each line is structured in this way,
<Filename>:<Line number> <Rule identifier> <Severity>: <Description>. So the first line,
Dockerfile:1 DL3006 warning: Always tag the version of an image explicitly, can be interpreted like this:
- Line one of the Dockerfile,
- triggered the rule
- and the severity of the rule is
- and has the description,
Always tag the version of an image explicitly
To get deeper knowledge you can sometimes use the rule identifier, DL3006, to look it up in the rule section, not all are listed there, however this is a great source to read more about the given issue.
Of course it's also possible to configure the tool for different projects by creating a hadolint.yml configuration file. With this file you could for example ignore rules, define trusted repositories and more.
There is also an online version of the hadolint tool here if you don't want to try it out on your machine.
To setup the the tool with GitHub Actions you can use the hadolint action.
name: Lint Dockerfile on: push jobs: linter: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - name: Lint Dockerfile uses: hadolint/hadolint-action@master with: dockerfile: "Dockerfile"
As you can see the tool is easy to get started with and it will increase the quality of your Dockerfiles in seconds. Hadolint is not the only linter out there for Dockerfiles. The Docker Engine includes one also, but more for checking basic errors. Then there is also a linting tool from Snyk that probably is more focused on security issues.