A Dockerfile linter that helps you build best practice Docker images (inspired by Haskell Dockerfile Linter). This tool performs docker rule checks based on an abstract syntax tree (AST) of a Dockerfile where the AST is generated using moby/buildkit parser.
- moby/buildkit/frontend/dockerfile/parser: The official Dockerfile parser provided by moby. Used when parsing Dockerfile.
You can run godolint locally to lint your Dockerfile.
$ godolint <Dockerfile>
godolint prints out any violation of the best practices it finds to the standard output, and exit with a non-zero exit status.
Here are examples of the outputs when godolint lints Dockerfiles that have some violations.
$ godolint testdata/DL3000_Dockerfile
#3 DL3000 Use absolute WORKDIR.
$ godolint testdata/DL3001_Dockerfile
#6 DL3001 For some bash commands it makes no sense running them in a Docker container like `ssh`, `vim`, `shutdown`, `service`, `ps`, `free`, `top`, `kill`, `mount`, `ifconfig`.
The available options are:
--ignore RULECODE A rule to ignore. If present, the ignore list in the
config file is ignored
--help -h Print this help message and exit.
--version -v Print the version information
You can ignore specific violation using the --ignore
option by specifying
the rule to ignore. For the list of rules, see Rules.
For example, here is an example to ignore the rule DL3000
:
$ godolint --ignore DL3000 testdata/DL3000_Dockerfile
You can download a binary from the release page and place it in $PATH
directory.
Or you can use go get
:
$ go get github.com/zabio3/godolint
The following is a list of the implemented rules. Dockerfile lint rule provided by hadolint
Rule | Description |
---|---|
DL3000 | Use absolute WORKDIR. |
DL3001 | For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig. |
DL3002 | Last user should not be root. |
DL3003 | Use WORKDIR to switch to a directory. |
DL3004 | Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root. |
DL3005 | Do not use apt-get upgrade or dist-upgrade. |
DL3007 | Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag. |
DL3006 | Always tag the version of an image explicitly. |
DL3008 | Pin versions in apt-get install. |
DL3009 | Delete the apt-get lists after installing something. |
DL3010 | Use ADD for extracting archives into an image. |
DL3011 | Valid UNIX ports range from 0 to 65535. |
DL3012 | Provide an email address or URL as maintainer. (This rule is DEPRECATED and no longer active) |
DL3013 | Pin versions in pip. |
DL3014 | Use the -y switch. |
DL3015 | Avoid additional packages by specifying --no-install-recommends. |
DL3016 | Pin versions in npm . |
DL3017 | Do not use apk upgrade . |
DL3018 | Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version> . |
DL3019 | Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages. |
DL3020 | Use COPY instead of ADD for files and folders. |
DL3021 | COPY with more than 2 arguments requires the last argument to end with / . |
DL3022 | COPY --from should reference a previously defined FROM alias. |
DL3023 | COPY --from cannot reference its own FROM alias. |
DL3024 | FROM aliases (stage names) must be unique. |
DL3025 | Use arguments JSON notation for CMD and ENTRYPOINT arguments. |
DL4000 | MAINTAINER is deprecated. |
DL4001 | Either use Wget or Curl but not both. |
DL4003 | Multiple CMD instructions found. |
DL4004 | Multiple ENTRYPOINT instructions found. |
DL4005 | Use SHELL to change the default shell. |
DL4006 | Set the SHELL option -o pipefail before RUN with a pipe in it. |
Dockerfile syntax is fully described in the Dockerfile reference. For the definitions of the AST, see moby/buildkit.
Contributions are of course always welcome!
- Fork zabio3/godolint (https://github.com/zabio3/godolint/fork)
- Run
go get
to install dependencies - Create a feature branch
- Commit your changes
- Run test using
go test ./...
- Create a Pull Request
See CONTRIBUTING.md
for details.
- Run
make docker
- Create a new tag for that release (in this example
0.1.2
):docker tag zabio3/godolint zabio3/godolint:v0.1.2
- Push to Docker hub:
docker push zabio3/godolint zabio3/godolint:v0.1.2