Dockerfile Linter
Analyze your Dockerfile for best practices, security issues, and optimization opportunities with instant feedback and actionable suggestions.
Using `latest` tag in FROM (image: ubuntu:latest)
Pin a specific version tag, e.g. ubuntu:22.04 instead of ubuntu:latest.
ADD used where COPY would suffice
Use COPY instead of ADD for copying local files. ADD has extra features (auto-extract, remote URLs) that can be surprising.
Using `apt-get install` without `--no-install-recommends`
Add --no-install-recommends to avoid installing unnecessary packages and reduce image size.
Using `apt-get install` without `-y` flag
Add -y flag to avoid interactive prompts: apt-get install -y.
Using `apt-get install` without `--no-install-recommends`
Add --no-install-recommends to avoid installing unnecessary packages and reduce image size.
Missing `apt-get clean` or `rm -rf /var/lib/apt/lists/*` after install
Clean up apt cache in the same RUN layer to reduce image size.
Using `sudo` in Dockerfile
Avoid sudo. Use USER to switch users, or run commands as root directly (default in Docker).
EXPOSE with no port number
Specify a valid port number, e.g. EXPOSE 8080.
Missing HEALTHCHECK instruction
Add a HEALTHCHECK to let Docker know how to check that the container is still working.
Running as root — no USER instruction found
Add a USER instruction to run the container as a non-root user for better security.
CMD uses shell form instead of exec form
Use exec form: CMD ["executable", "arg1", "arg2"] for proper signal handling.
Consider using a .dockerignore file
A .dockerignore file helps exclude unnecessary files from the build context, speeding up builds and reducing image size.
4 consecutive RUN instructions found
Combine RUN instructions using && to reduce image layers.
WORKDIR should use an absolute path
Use an absolute path, e.g. WORKDIR /app instead of WORKDIR app.
What Is a Dockerfile Linter?
A Dockerfile Linter is a static analysis tool that examines your Dockerfile instructions and flags potential issues. It checks for common mistakes, security vulnerabilities (like running as root), deprecated syntax, inefficient layering, missing health checks, and unpinned base image tags. Similar to tools like Hadolint, it provides severity-rated feedback with concrete suggestions to help you build smaller, safer, and more maintainable container images.
How to Use the Dockerfile Linter
- Paste your Dockerfile content into the text area.
- The linter automatically analyzes every instruction and displays a categorized list of findings.
- Each result includes a line number, severity level (error, warning, or info), a rule ID, a description, and a fix suggestion.
- Review the summary counts at the top, then address errors first, followed by warnings and informational hints.
Common Use Cases
- Pre-Push Auditing — Audit Dockerfiles before pushing to a container registry to catch issues early.
- CI/CD Best Practices — Enforce Dockerfile best practices in CI/CD pipelines to maintain consistent image quality.
- Learning Docker — Learn Docker best practices with real-time feedback and actionable suggestions on your own Dockerfiles.
- Code Review — Review Dockerfiles during code reviews to catch security issues, optimization opportunities, and deprecated syntax.