Hadolint: Step-by-Step Guide to Linting Dockerfiles
- 4 minsWhat is Hadolint?
Hadolint is an open-source command-line tool for linting Dockerfiles. It helps identify syntax errors, security vulnerabilities, and inefficiencies, ensuring Dockerfiles follow best practices.
How Hadolint Works
- Reads and parses the Dockerfile.
- Converts it into an Abstract Syntax Tree (AST).
- Checks each instruction against predefined rules.
- Reports issues categorized as Info, Style, Warning, or Error.
Installing Hadolint
Install on Linux
wget -O hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64
sudo mv hadolint /usr/local/bin/hadolint
sudo chmod +x /usr/local/bin/hadolint
Install on Mac
brew install hadolint
Install on Windows
scoop install hadolint
Verify Installation
hadolint --version
Linting Dockerfiles Using Hadolint
Run Hadolint against your Dockerfile:
hadolint Dockerfile
Example Dockerfile (Unoptimized)
FROM ubuntu:latest
RUN apt-get update
RUN apt-get install -y curl
Running Hadolint on the Unoptimized Dockerfile
hadolint Dockerfile
Hadolint will output warnings and errors if any exist.
- You can see output and Hadolint recommends couple things We can make Dockerfile better/best practises.
- Hadolint reads Dockerfile and analysis Dockefile. There are rules that Hadolint follow You can find rules Hadolint Rules
Hadolint ouput includes:
- 🔹 Info: Provides general suggestions for improvement. These are minor recommendations that can enhance the quality but are not critical.
- 🎨 Style: Focuses on formatting and structure, such as proper indentation, line length, and readability improvements.
- ⚠️ Warning: Highlights less critical issues, including minor security concerns and areas needing improvement.
- ❌ Error: Represents severe issues, potentially indicating security vulnerabilities or major violations of best practices. These must be addressed immediately.
- If you check the exit code, you will get a non-zero exit code after your Dockerfile checks.
Optimized Dockerfile
FROM ubuntu:20.04
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN apt-get update && \
apt-get install -y curl=8.4.0 --no-install-recommends && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
- You can see above exmaple after I implement handolint recommendations new scan’s exit code shows 0
Ignoring Rules in Hadolint
If you want to ignore a specific rule (e.g., DL3008):
hadolint --ignore DL3008 Dockerfile
Using hadolint.yaml Configuration
Create a .hadolint.yaml file to customize linting rules.
failure-threshold: warning
ignored:
- DL3007
override:
warning:
- DL3015
trustedRegistries:
- docker.io
- "*.gcr.io"
- "*.ecr.amazonaws.com"
Run Hadolint with the configuration file:
hadolint --config .hadolint.yaml Dockerfile
Integrating Hadolint in CI/CD Pipelines
You can Add Hadolint as a linting step in your CI/CD pipeline:
hadolint Dockerfile || exit 1
This will fail the pipeline if the Dockerfile contains critical issues.
Running Hadolint with Docker
If you don’t want to install Hadolint, you can run it using Docker:
docker run --rm -i hadolint/hadolint < Dockerfile
Hadolint Online Version
You can also use Hadolint directly from your browser:
Benefits of Using Hadolint
- Improves Dockerfile quality by identifying errors.
- Enhances security by detecting vulnerabilities.
- Optimizes performance by reducing unnecessary steps.
- Ensures consistency across projects.
Tips for Using Hadolint
- Fix critical errors first to improve security and performance.
- Enable all rules for maximum linting coverage.
-
Customize Hadolint using
.hadolint.yamlas needed. - Integrate Hadolint in CI/CD to enforce best practices automatically.
Conclusion
Linting Dockerfiles is crucial for security, efficiency, and consistency. Hadolint is a powerful tool that helps enforce best practices. Use it in your local development and CI/CD pipelines to ensure high-quality container images.
Thanks for reading…
Guneycan Sanli.
Guneycan Sanli
A person who like learning, music, travelling and sports.