godolint
A Dockerfile linter that helps you build best practice Docker images (inspired by Haskell Dockerfile Linter).
For static analysis of AST, moby/buildkit parser is used, and lint check is done.
This tool performs docker rule checks based on the parsed AST.
Usage
You can run godolint locally to lint your Dockerfile.
$ godolint <Dockerfile>
Example
To check Dockerfile
$ godolint testdata/DL3000_Dockerfile
#3 DL3000 Use absolute WORKDIR.
$ godolint testdata/DL3001_Dockerfile
#6 DL3001 For some bash commands it makes no sense running them in a Docker container like `ssh`, `vim`, `shutdown`, `service`, `ps`, `free`, `top`, `kill`, `mount`, `ifconfig`.
Options
You can set some options:
Available options:
--ignore RULECODE A rule to ignore. If present, the ignore list in the
config file is ignored
Other Commands:
--help -h Help about any command
--version -v Print the version information
Example
To check Dockerfile (exclude specific rules).
$ godolint --ignore DL3000 testdata/DL3000_Dockerfile
Install
You can download binary from release page and place it in $PATH directory.
Or you can use go get
$ go get github.com/zabio3/godolint
Rules
An implemented rules.
Rule | Description |
---|---|
DL3000 | Use absolute WORKDIR. |
DL3001 | For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig. |
DL3002 | Last user should not be root. |
DL3003 | Use WORKDIR to switch to a directory. |
DL3004 | Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root. |
DL3005 | Do not use apt-get upgrade or dist-upgrade. |
DL3007 | Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag. |
DL3006 | Always tag the version of an image explicitly. |
DL3008 | Pin versions in apt-get install. |
DL3009 | Delete the apt-get lists after installing something. |
DL3010 | Use ADD for extracting archives into an image. |
DL3011 | Valid UNIX ports range from 0 to 65535. |
DL3012 | Provide an email address or URL as maintainer. (This rule is DEPRECATED and no longer active) |
DL3013 | Pin versions in pip. |
DL3014 | Use the -y switch. |
DL3015 | Avoid additional packages by specifying --no-install-recommends. |
DL3016 | Pin versions in npm . |
DL3017 | Do not use apk upgrade . |
DL3018 | Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version> . |
DL3019 | Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages. |
DL3020 | Use COPY instead of ADD for files and folders. |
DL3021 |
COPY with more than 2 arguments requires the last argument to end with / . |
DL3022 |
COPY --from should reference a previously defined FROM alias. |
DL3023 |
COPY --from cannot reference its own FROM alias. |
DL3024 |
FROM aliases (stage names) must be unique. |
DL3025 | Use arguments JSON notation for CMD and ENTRYPOINT arguments. |
DL4000 | MAINTAINER is deprecated. |
DL4001 | Either use Wget or Curl but not both. |
DL4003 | Multiple CMD instructions found. |
DL4004 | Multiple ENTRYPOINT instructions found. |
DL4005 | Use SHELL to change the default shell. |
DL4006 | Set the SHELL option -o pipefail before RUN with a pipe in it. |
AST
Dockerfile syntax is fully described in the Dockerfile reference.
Just take a look at moby/buildkit in the language-docker project to see the AST definition.
Contribution
Contributions are of course always welcome!
- Fork zabio3/godolint (https://github.com/zabio3/godolint/fork)
- Run
go get
to install dependencies - Create a feature branch
- Commit your changes
- Run test using
go test ./...
- Create a Pull Request
See CONTRIBUTING.md
for details.
Top comments (0)