Skip to content

replicatedhq/dockerfilelint

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Linter and validator for Dockerfile

Coverage Status Build Status

dockerfilelint is an node module that analyzes a Dockerfile and looks for common traps, mistakes and helps enforce best practices.

Installation

Global installation with npm package manager.

npm install -g dockerfilelint

Testing

Start unit tests with npm test, yarn run test, or docker-compose -f docker-compose.test.yml up

Running

From the command line:

./bin/dockerfilelint <path/to/Dockerfile>

Command Line options

Usage: dockerfilelint [files | content..] [options]

Options:
  -o, --output   Specify the format to use for output of linting results. Valid values
                 are `json` or `cli` (default).                               [string]
  -j, --json     Output linting results as JSON, equivalent to `-o json`.    [boolean]
  -v, --version  Show version number                                         [boolean]
  -h, --help     Show help                                                   [boolean]

Examples:
  dockerfilelint Dockerfile         Lint a Dockerfile in the current working
                                    directory

  dockerfilelint test/example/* -j  Lint all files in the test/example directory and
                                    output results in JSON

  dockerfilelint 'FROM latest'      Lint the contents given as a string on the
                                    command line

  dockerfilelint < Dockerfile       Lint the contents of Dockerfile via stdin

Configuring

You can configure the linter by creating a .dockerfilelintrc with the following syntax:

rules:
  uppercase_commands: off

The keys for the rules can be any file in the /lib/reference.js file. At this time, it's only possible to disable rules. They are all enabled by default.

The following rules are supported:

required_params
uppercase_commands
from_first
invalid_line
sudo_usage
apt-get_missing_param
apt-get_recommends
apt-get-upgrade
apt-get-dist-upgrade
apt-get-update_require_install
apkadd-missing_nocache_or_updaterm
apkadd-missing-virtual
invalid_port
invalid_command
expose_host_port
label_invalid
missing_tag
latest_tag
extra_args
missing_args
add_src_invalid
add_dest_invalid
invalid_workdir
invalid_format
apt-get_missing_rm
deprecated_in_1.13

From a Docker container

(Replace the pwd/Dockerfile with the path to your local Dockerfile)

docker run -v `pwd`/Dockerfile:/Dockerfile replicated/dockerfilelint /Dockerfile

Online

If you don't want to install this locally you can try it out on https://fromlatest.io.

Checks performed

FROM

  • This should be the first command in the Dockerfile
  • Base image should specify a tag
  • Base image should not use latest tag
  • Support FROM scratch without a tag
  • Support the FROM <image>@<digest> syntax
  • Allow config to specify "allowed" base layers

MAINTAINER

  • Should be followed by exactly 1 parameter (@ sign)

RUN

  • sudo is not included in the command
  • apt-get [install | upgrade | remove] should include a -y flag
  • apt-get install commands should include a --no-install-recommends flag
  • apt-get install commands should be paired with a rm -rf /var/lib/apt/lists/* in the same layer
  • Avoid running apt-get upgrade or apt-get dist-upgrade
  • Never run apt-get update without apt-get install on the same line
  • apk add commands should include a --no-cache flag or be paired with an --update flag with rm -rf /var/cache/apk/* in the same layer
  • apk add support for --virtual flag
  • handle best practices for yum operations and cleanup

CMD

  • Only a single CMD layer is allowed
  • Better handling of escaped quotes
  • Detect exec format with expected variable substitution

LABEL

  • Format should be key=value

EXPOSE

  • Only the container port should be listed
  • All ports should be exposed in a single cache layer (line)
  • The same port number should not be exposed multiple times
  • Exposed ports should be numeric and in the accepted range

ENV

  • Format of ENV
  • Best practice of only using a single ENV line to reduce cache layer count

ADD

  • Command should have at least 2 parameters
  • Source command(s) cannot be absolute or relative paths that exist outside of the current build context
  • Commands with wildcards or multiple sources require that destination is a directory, not a file
  • If an ADD command could be a COPY, then COPY is preferred
  • Using ADD to fetch remote files is discouraged because they cannot be removed from the layer

COPY

  • Implement checking (similar to ADD)
  • Do not COPY multiple files on a single command to best use cache

ENTRYPOINT

  • Support

VOLUME

  • Format
  • Any build steps after VOLUME is declare should not change VOLUME contents
  • If JSON format, double quotes are required

USER

  • Should be followed by exactly 1 parameter

WORKDIR

  • Validate that it has exactly 1 parameter
  • WORKDIR can only expand variables previously set in ENV commands

ARG

  • Support
  • Prevent redefining the built in ARGs (proxy)

ONBUILD

  • Support

STOPSIGNAL

  • Validate input
  • Only present one time

HEALTHCHECK

  • No additional parameters when only parameter is NONE
  • Options before CMD are valid
  • Options before CMD have additional arguments

Misc

  • Only valid Dockerfile commands are present
  • All commands should have at least 1 parameter
  • Check that commands are written as upper case commands