LinuxCommandLibrary

hadolint

Lint Dockerfiles for best practices and errors

TLDR

Lint a Dockerfile

$ hadolint [path/to/Dockerfile]
copy

Lint a Dockerfile, displaying the output in JSON format
$ hadolint [[-f|--format]] [json] [path/to/Dockerfile]
copy

Lint a Dockerfile, displaying the output in a specific format
$ hadolint [[-f|--format]] [tty|json|checkstyle|codeclimate|codacy] [path/to/Dockerfile]
copy

Lint a Dockerfile ignoring specific rules
$ hadolint --ignore [DL3006] --ignore [DL3008] [path/to/Dockerfile]
copy

Lint multiple Dockerfiles using specific trusted registries
$ hadolint --trusted-registry [docker.io] --trusted-registry [example.com]:[5000] [path/to/Dockerfile1 path/to/Dockerfile2 ...]
copy

SYNOPSIS

hadolint [OPTION...] [DOCKERFILE|<DIR>]

PARAMETERS

-f, --format
    Output format: tty (default), json, checkstyle, sarif, html, junit, etc.

-i, --ignore
    Ignore rule by ID (e.g., DL3003), repeatable

-w, --warning
    Treat specified rule as warning, repeatable

--fail-on
    Fail on levels: ERROR (default), WARN, INFO, STYLE, HINT, SUCCESS

--strict
    Fail on all warnings (shorthand for --fail-on WARN,STYLE,INFO,HINT)

--no-fail
    Never exit non-zero, even with issues

-r, --requirements
    Path to requirements file for base image rules

--ignore-inline-offenses
    Ignore offenses on lines with # hadolint ignore (default)

--verbose
    Enable verbose output

--max-jobs
    Max parallel jobs (default: 8)

-V, --version
    Print version

-h, --help
    Show help

DESCRIPTION

Hadolint is a Haskell-based static analyzer for Dockerfiles, designed to ensure best practices, security, and efficiency. It scans for common pitfalls like unnecessary layer creation, deprecated instructions, incorrect COPY/ADD usage, unused arguments, and potential security risks such as running as root.

Key benefits include:
Comprehensive rule set: Over 50 rules categorized by severity (error, warning, info, style).
Customizable: Ignore rules, adjust severity, or use inline # hadolint ignore comments.
CI/CD friendly: Multiple formats like JSON, SARIF, JUnit for integration with tools like GitHub Actions or Jenkins.
Fast analysis: Parallel processing with configurable jobs.

Hadolint promotes smaller, secure images by flagging multi-stage build misses or package manager cache issues. Run it pre-build to catch errors early, saving time and resources. Ideal for DevOps teams standardizing Dockerfile quality across projects.

CAVEATS

Static analysis only; does not execute Dockerfiles. Requires static binary or Haskell for non-Docker runs. Inline ignores must match exact rule IDs.

EXAMPLE USAGE

hadolint Dockerfile — Lint single file.
hadolint --format json . — Lint all Dockerfiles recursively.

RULE REFERENCE

Full rules at DLxxxx IDs; e.g., DL3006: Always tag latest images, DL3010: Use ADD for remote URLs only.

HISTORY

Created in 2016 by Luka Mario Škansi; open-source (GPLv3) on GitHub with 9k+ stars. Actively maintained, major releases add rules and formats like SARIF support.

SEE ALSO

shellcheck(1), docker(1), yamllint(1)

Copied to clipboard