DEV Community


Posted on • Updated on

Dockerfile lint tool using moby buildkit parser


A Dockerfile linter that helps you build best practice Docker images (inspired by Haskell Dockerfile Linter).
For static analysis of AST, moby/buildkit parser is used, and lint check is done.
This tool performs docker rule checks based on the parsed AST.


You can run godolint locally to lint your Dockerfile.

$ godolint <Dockerfile>

To check Dockerfile

$ godolint testdata/DL3000_Dockerfile
#3 DL3000 Use absolute WORKDIR. 

$ godolint testdata/DL3001_Dockerfile
#6 DL3001 For some bash commands it makes no sense running them in a Docker container like `ssh`, `vim`, `shutdown`, `service`, `ps`, `free`, `top`, `kill`, `mount`, `ifconfig`. 


You can set some options:

Available options:
  --ignore RULECODE     A rule to ignore. If present, the ignore list in the
                        config file is ignored

Other Commands:
  --help        -h      Help about any command
  --version     -v      Print the version information

To check Dockerfile (exclude specific rules).

$ godolint --ignore DL3000 testdata/DL3000_Dockerfile


You can download binary from release page and place it in $PATH directory.

Or you can use go get

$ go get


An implemented rules.

Rule Description
DL3000 Use absolute WORKDIR.
DL3001 For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig.
DL3002 Last user should not be root.
DL3003 Use WORKDIR to switch to a directory.
DL3004 Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root.
DL3005 Do not use apt-get upgrade or dist-upgrade.
DL3007 Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag.
DL3006 Always tag the version of an image explicitly.
DL3008 Pin versions in apt-get install.
DL3009 Delete the apt-get lists after installing something.
DL3010 Use ADD for extracting archives into an image.
DL3011 Valid UNIX ports range from 0 to 65535.
DL3012 Provide an email address or URL as maintainer. (This rule is DEPRECATED and no longer active)
DL3013 Pin versions in pip.
DL3014 Use the -y switch.
DL3015 Avoid additional packages by specifying --no-install-recommends.
DL3016 Pin versions in npm.
DL3017 Do not use apk upgrade.
DL3018 Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>.
DL3019 Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages.
DL3020 Use COPY instead of ADD for files and folders.
DL3021 COPY with more than 2 arguments requires the last argument to end with /.
DL3022 COPY --from should reference a previously defined FROM alias.
DL3023 COPY --from cannot reference its own FROM alias.
DL3024 FROM aliases (stage names) must be unique.
DL3025 Use arguments JSON notation for CMD and ENTRYPOINT arguments.
DL4000 MAINTAINER is deprecated.
DL4001 Either use Wget or Curl but not both.
DL4003 Multiple CMD instructions found.
DL4004 Multiple ENTRYPOINT instructions found.
DL4005 Use SHELL to change the default shell.
DL4006 Set the SHELL option -o pipefail before RUN with a pipe in it.


Dockerfile syntax is fully described in the Dockerfile reference.
Just take a look at moby/buildkit in the language-docker project to see the AST definition.


Contributions are of course always welcome!

  1. Fork zabio3/godolint (
  2. Run go get to install dependencies
  3. Create a feature branch
  4. Commit your changes
  5. Run test using go test ./...
  6. Create a Pull Request

See for details.

Discussion (0)