hadolint

Lint a Dockerfile

$ hadolint [path/to/Dockerfile]

$ hadolint --format [json] [path/to/Dockerfile]

$ hadolint --format [tty|json|checkstyle|codeclimate|codacy] [path/to/Dockerfile]

$ hadolint --ignore [DL3006] --ignore [DL3008] [path/to/Dockerfile]

$ hadolint --trusted-registry [docker.io] --trusted-registry [example.com]:[5000] [path/to/Dockerfile1 path/to/Dockerfile2 ...]

hadolint [OPTIONS] <FILE | ->
hadolint [OPTIONS] --version
hadolint [OPTIONS] --help

-f, --format <FORMAT>
    Set the output format (tty, json, checkstyle, codeclimate, github_actions).

-s, --strict
    Treat warnings as errors, causing hadolint to exit with an error code.

-c, --config <FILE>
    Path to a custom configuration file for rules and settings.

-i, --ignore <CODE,...>
    Comma-separated list of rules to ignore (e.g., DL3006,SC2039).

--override <RULE=SEVERITY,...>
    Override severity of specific rules (e.g., 'DL3000=error', 'SC2000=info').

--no-fail
    Do not exit with a non-zero exit code on linting failures; always exit with 0.

--disable-security
    Disable all security-related rules (rules starting with DL30xx).

--target-arch <ARCH>
    Specify target architecture for rules that depend on it (e.g., 'amd64', 'arm64').

--disable-warnings
    Disable all warning messages from being displayed.

--error-exit-code <CODE>
    Set the exit code for errors (default: 1).

--failure-threshold <LEVEL>
    Exit with non-zero if any issue of severity <LEVEL> or higher is found (info, warning, error).

--rule-url <URL>
    URL to download custom rules from, allowing for dynamic rule sets.

--color
    Force color output, even if the terminal doesn't support it.

--no-color
    Disable color output in the console.

-v, --version
    Show the version number of hadolint.

--help
    Show the help message and exit.

hadolint is a powerful static analysis tool for Dockerfiles, designed to enforce best practices and identify common issues. Written in Haskell, it parses Dockerfiles and checks them against a comprehensive set of rules derived from Docker's official documentation, community best practices, and security considerations.

By integrating hadolint into development workflows, users can significantly improve the security, efficiency, and maintainability of their container images, catch errors early in the development cycle, and ensure compliance with organizational standards. It's a valuable tool for anyone working with Docker, from individual developers to large CI/CD pipelines, helping to build robust and reliable containerized applications.

hadolint performs static analysis, meaning it checks the Dockerfile's syntax and adherence to rules without executing any commands or building the image. Therefore, it cannot detect runtime issues, errors that occur during the actual container build process, or logical flaws within the application itself.

While comprehensive, its rules are based on common best practices, and specific project requirements might necessitate ignoring certain rules or developing custom ones. It should be used as one part of a comprehensive quality assurance and security strategy, not as a standalone solution for all container image vulnerabilities.

hadolint offers extensive customization options to tailor its behavior to specific project needs. Users can ignore specific rules using the --ignore flag or a configuration file. The severity of existing rules can be overridden, changing them from warnings to errors or vice-versa. Furthermore, entirely new custom rules can be defined and loaded from local files or remote URLs, allowing organizations to enforce their specific compliance and best practice requirements effectively.

Due to its command-line interface and support for various machine-readable output formats (including CheckStyle and Code Climate), hadolint is exceptionally well-suited for integration into Continuous Integration/Continuous Delivery (CI/CD) pipelines. It can be run as a pre-commit hook to catch issues early, or as part of a build step within a CI/CD job. This provides immediate feedback on Dockerfile quality and security, preventing problematic images from being built or deployed and helping to automate adherence to coding standards.

hadolint was created to address the growing need for automated Dockerfile validation in the rapidly expanding DevOps landscape. It emerged as an open-source project written in Haskell, leveraging the language's strong type system and parsing capabilities for robust analysis. Its development has been community-driven, continually expanding its rule set and improving its performance and feature set. Adopted widely by organizations and individual developers, it has become a de-facto standard for linting Dockerfiles, integrating seamlessly into CI/CD pipelines to enforce quality and security standards from the earliest stages of container image development.

docker(1), podman(1), buildah(1), shellcheck(1), checkstyle(1)