Linter and validator for Dockerfile
dockerfilelint
is an node module that analyzes a Dockerfile and looks for common traps, mistakes and helps enforce best practices.
Installation
Global installation with npm package manager.
npm install -g dockerfilelint
Testing
Start unit tests with npm test
, yarn run test
, or docker-compose -f docker-compose.test.yml up
Running
From the command line:
./bin/dockerfilelint <path/to/Dockerfile>
Command Line options
Usage: dockerfilelint [files | content..] [options]
Options:
-o, --output Specify the format to use for output of linting results. Valid values
are `json` or `cli` (default). [string]
-j, --json Output linting results as JSON, equivalent to `-o json`. [boolean]
-v, --version Show version number [boolean]
-h, --help Show help [boolean]
Examples:
dockerfilelint Dockerfile Lint a Dockerfile in the current working
directory
dockerfilelint test/example/* -j Lint all files in the test/example directory and
output results in JSON
dockerfilelint 'FROM latest' Lint the contents given as a string on the
command line
dockerfilelint < Dockerfile Lint the contents of Dockerfile via stdin
Configuring
You can configure the linter by creating a .dockerfilelintrc
with the following syntax:
rules:
uppercase_commands: off
The keys for the rules can be any file in the /lib/reference.js file. At this time, it’s only possible to disable rules. They are all enabled by default.
The following rules are supported:
required_params
uppercase_commands
from_first
invalid_line
sudo_usage
apt-get_missing_param
apt-get_recommends
apt-get-upgrade
apt-get-dist-upgrade
apt-get-update_require_install
apkadd-missing_nocache_or_updaterm
apkadd-missing-virtual
invalid_port
invalid_command
expose_host_port
label_invalid
missing_tag
latest_tag
extra_args
missing_args
add_src_invalid
add_dest_invalid
invalid_workdir
invalid_format
apt-get_missing_rm
deprecated_in_1.13
From a Docker container
(Replace the pwd
/Dockerfile with the path to your local Dockerfile)
docker run -v `pwd`/Dockerfile:/Dockerfile replicated/dockerfilelint /Dockerfile
Online
If you don’t want to install this locally you can try it out on https://fromlatest.io.
Checks performed
FROM
- This should be the first command in the Dockerfile
- Base image should specify a tag
- Base image should not use latest tag
- Support
FROM scratch
without a tag - Support the
FROM <image>@<digest>
syntax - Allow config to specify “allowed” base layers
MAINTAINER
- Should be followed by exactly 1 parameter (@ sign)
RUN
- sudo is not included in the command
- apt-get [install | upgrade | remove] should include a -y flag
- apt-get install commands should include a
--no-install-recommends
flag - apt-get install commands should be paired with a
rm -rf /var/lib/apt/lists/*
in the same layer - Avoid running
apt-get upgrade
orapt-get dist-upgrade
- Never run
apt-get update
withoutapt-get install
on the same line - apk add commands should include a
--no-cache
flag or be paired with an--update
flag withrm -rf /var/cache/apk/*
in the same layer - apk add support for –virtual flag
- handle best practices for yum operations and cleanup
CMD
- Only a single
CMD
layer is allowed - Better handling of escaped quotes
- Detect exec format with expected variable substitution
LABEL
- Format should be key=value
EXPOSE
- Only the container port should be listed
- All ports should be exposed in a single cache layer (line)
- The same port number should not be exposed multiple times
- Exposed ports should be numeric and in the accepted range
ENV
- Format of
ENV
- Best practice of only using a single
ENV
line to reduce cache layer count
ADD
- Command should have at least 2 parameters
- Source command(s) cannot be absolute or relative paths that exist outside of the current build context
- Commands with wildcards or multiple sources require that destination is a directory, not a file
- If an
ADD
command could be aCOPY
, thenCOPY
is preferred - Using
ADD
to fetch remote files is discouraged because they cannot be removed from the layer
COPY
- Implement checking (similar to ADD)
- Do not
COPY
multiple files on a single command to best use cache
ENTRYPOINT
- Support
VOLUME
- Format
- Any build steps after VOLUME is declare should not change VOLUME contents
- If JSON format, double quotes are required
USER
- Should be followed by exactly 1 parameter
WORKDIR
- Validate that it has exactly 1 parameter
-
WORKDIR
can only expand variables previously set inENV
commands
ARG
- Support
- Prevent redefining the built in ARGs (proxy)
ONBUILD
- Support
STOPSIGNAL
- Validate input
- Only present one time
HEALTHCHECK
- No additional parameters when only parameter is
NONE
- Options before
CMD
are valid - Options before
CMD
have additional arguments
Misc
- Only valid Dockerfile commands are present
- All commands should have at least 1 parameter
- Check that commands are written as upper case commands
Описание
An opinionated Dockerfile linter.