ByteJSON

Dockerfile Linter

Check your Dockerfile for best practices, security issues, and common mistakes

Issues will appear here after linting...

What is Dockerfile Linter?

A Dockerfile linter analyzes your Dockerfile for best practices, security vulnerabilities, and common mistakes before you build. Issues like running as root, using the "latest" tag, not cleaning apt caches, or embedding secrets can cause security risks, bloated images, and non-reproducible builds.

How to Use

  1. Paste your Dockerfile content into the editor.
  2. Click "Lint" to run all checks.
  3. Review errors (must fix) and warnings (should fix).
  4. Apply the suggested fixes shown below each issue.
  5. Re-lint until only informational notices remain.

Why Use This Tool?

Detects "latest" tag usage — builds should be pinned to specific versions
Flags root user — containers should run as non-root for security
Catches ADD instead of COPY for local files — ADD has unexpected behaviors
Warns about missing apt-get clean — reduces final image size
Identifies potential secrets in ENV variables

Tips & Best Practices

  • Combine RUN apt-get update && apt-get install -y in one line to prevent stale cache issues
  • Use multi-stage builds to keep final images small: build in one stage, copy artifacts to a slim runtime stage
  • Pin base image versions with a digest for maximum reproducibility: FROM node:20@sha256:...
  • Order COPY instructions from least-changing to most-changing to maximize layer cache hits
  • Use .dockerignore to prevent accidentally copying secrets or node_modules into the image

Frequently Asked Questions

What is DL3007 and why is "latest" bad?

DL3007 is the Hadolint rule for unpinned base image tags. The "latest" tag points to a different image every time it is updated upstream. This means your Docker build could produce different results on different days — a Monday build might have Node 20.0 and a Tuesday build might have Node 20.1, introducing untested changes. Pin to a specific version (FROM node:20.11.0-slim) for reproducibility.

What is the CIS001 (no USER instruction) risk?

Docker containers run as root by default (UID 0). If an attacker exploits a vulnerability in your application, they would have root-level access inside the container. With container escape vulnerabilities, this can mean root on the host. Create a non-root user with: RUN useradd -r appuser && USER appuser before your CMD/ENTRYPOINT.

Should I use ADD or COPY for local files?

Always COPY for local files. ADD has additional behaviors: it auto-extracts tar archives and can fetch files from URLs. These "magic" behaviors make builds harder to reason about and audit. Reserve ADD only for the intentional use case of extracting a local tar archive directly into the image.

Related Tools

Dockerfile GeneratorDocker Healthcheck GeneratorDocker Compose GeneratorNginx Config Generator