A Dockerfile linter that helps you build best practice Docker images (inspired by Haskell Dockerfile Linter). This tool performs docker rule checks based on an abstract syntax tree (AST) of a Dockerfile where the AST is generated using moby/buildkit parser.
- moby/buildkit/frontend/dockerfile/parser: The official Dockerfile parser provided by moby. Used when parsing Dockerfile.
You can run godolint locally to lint your Dockerfile.
$ godolint <Dockerfile>
godolint prints out any violation of the best practices it finds to the standard output, and exit with a non-zero exit status.
Here are examples of the outputs when godolint lints Dockerfiles that have some violations.
$ godolint testdata/DL3000_Dockerfile
#3 DL3000 Use absolute WORKDIR.
$ godolint testdata/DL3001_Dockerfile
#6 DL3001 For some bash commands it makes no sense running them in a Docker container like `ssh`, `vim`, `shutdown`, `service`, `ps`, `free`, `top`, `kill`, `mount`, `ifconfig`.
The available options are:
--ignore RULECODE A rule to ignore. If present, the ignore list in the
config file is ignored
--trusted-registry REGISTRY (e.g. docker.io)
A docker registry to allow to appear in FROM instructions
--help -h Print this help message and exit.
--version -v Print the version information
You can ignore specific violation using the --ignore option by specifying
the rule to ignore. For the list of rules, see Rules.
For example, here is an example to ignore the rule DL3000:
$ godolint --ignore DL3000 testdata/DL3000_Dockerfile
You can download a binary from the release page and place it in $PATH directory.
Or you can use go get:
$ go get github.com/zabio3/godolint
The following is a list of the implemented rules. Dockerfile lint rule provided by hadolint
| Rule | Description |
|---|---|
| DL3000 | Use absolute WORKDIR. |
| DL3001 | For some bash commands it makes no sense running them in a Docker container like ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig. |
| DL3002 | Last user should not be root. |
| DL3003 | Use WORKDIR to switch to a directory. |
| DL3004 | Do not use sudo as it leads to unpredictable behavior. Use a tool like gosu to enforce root. |
| DL3005 | Do not use apt-get upgrade or dist-upgrade. |
| DL3006 | Always tag the version of an image explicitly. |
| DL3007 | Using latest is prone to errors if the image will ever update. Pin the version explicitly to a release tag. |
| DL3008 | Pin versions in apt-get install. |
| DL3009 | Delete the apt-get lists after installing something. |
| DL3010 | Use ADD for extracting archives into an image. |
| DL3011 | Valid UNIX ports range from 0 to 65535. |
| DL3012 | Provide an email address or URL as maintainer. (This rule is DEPRECATED and no longer active) |
| DL3013 | Pin versions in pip. |
| DL3014 | Use the -y switch. |
| DL3015 | Avoid additional packages by specifying --no-install-recommends. |
| DL3016 | Pin versions in npm. |
| DL3018 | Pin versions in apk add. Instead of apk add <package> use apk add <package>=<version>. |
| DL3019 | Use the --no-cache switch to avoid the need to use --update and remove /var/cache/apk/* when done installing packages. |
| DL3020 | Use COPY instead of ADD for files and folders. |
| DL3021 | COPY with more than 2 arguments requires the last argument to end with /. |
| DL3022 | COPY --from should reference a previously defined FROM alias. |
| DL3023 | COPY --from cannot reference its own FROM alias. |
| DL3024 | FROM aliases (stage names) must be unique. |
| DL3025 | Use arguments JSON notation for CMD and ENTRYPOINT arguments. |
| DL3026 | Use only an allowed registry in the FROM image |
| DL3027 | Do not use apt; use apt-get or apt-cache instead. |
| DL4000 | MAINTAINER is deprecated. |
| DL4001 | Either use Wget or Curl but not both. |
| DL4003 | Multiple CMD instructions found. |
| DL4004 | Multiple ENTRYPOINT instructions found. |
| DL4005 | Use SHELL to change the default shell. |
| DL4006 | Set the SHELL option -o pipefail before RUN with a pipe in it. |
Dockerfile syntax is fully described in the Dockerfile reference. For the definitions of the AST, see moby/buildkit.
Contributions are of course always welcome!
- Fork zabio3/godolint (https://github.com/zabio3/godolint/fork)
- Run
go getto install dependencies - Create a feature branch
- Commit your changes
- Run test using
go test ./... - Create a Pull Request
See CONTRIBUTING.md for details.
- Run
make docker - Create a new tag for that release (in this example
0.1.2):docker tag zabio3/godolint zabio3/godolint:v0.1.2 - Push to Docker hub:
docker push zabio3/godolint zabio3/godolint:v0.1.2