Dockerfile Linting and Security

Intermediate10 min

Lint Dockerfiles for best practice violations and security issues using Hadolint to catch problems before building.

Prerequisites

-Docker installed

Steps

Lint a Dockerfile with Hadolint

Run Hadolint to check for Dockerfile best practice violations.

$ docker run --rm -i hadolint/hadolint < Dockerfile

Hadolint checks shell commands with ShellCheck and validates Dockerfile instructions against best practices.

Lint with specific rules ignored

Suppress specific rules that do not apply to your use case.

$ docker run --rm -i hadolint/hadolint hadolint --ignore DL3008 --ignore DL3009 - < Dockerfile

DL3008 warns about pinning apt package versions. DL3009 warns about deleting apt lists.

Check for USER instruction

Verify the Dockerfile does not run as root in production.

$ grep -n 'USER' Dockerfile || echo 'WARNING: No USER instruction found. Container will run as root.'

Running containers as root is a security risk. Always add a USER instruction for production images.

Verify no secrets in build args

Check that no sensitive values are passed as build arguments, which are visible in image history.

$ docker history myapp:latest --no-trunc | grep -i 'ARG\|ENV' | grep -i 'password\|secret\|key\|token' || echo 'No obvious secrets found'

Full Script

full-script.sh

#!/bin/bash
# Dockerfile Linting and Security Check
set -euo pipefail

DOCKERFILE=${1:-"Dockerfile"}

echo "=== Linting $DOCKERFILE ==="
docker run --rm -i hadolint/hadolint < "$DOCKERFILE" || true

echo ""
echo "=== Security Checks ==="
echo "--- USER instruction ---"
grep -n 'USER' "$DOCKERFILE" || echo "WARNING: No USER instruction found"

echo ""
echo "--- HEALTHCHECK instruction ---"
grep -n 'HEALTHCHECK' "$DOCKERFILE" || echo "INFO: No HEALTHCHECK instruction found"

echo ""
echo "--- Exposed ports ---"
grep -n 'EXPOSE' "$DOCKERFILE" || echo "No EXPOSE instruction found"

echo ""
echo "--- COPY vs ADD ---"
grep -n 'ADD' "$DOCKERFILE" && echo "Consider using COPY instead of ADD unless you need tar extraction" || echo "Good: No ADD instructions found"

FAQ

Discussion

Loading comments...

#!/bin/bash # Dockerfile Linting and Security Check set -euo pipefail DOCKERFILE=${1:-"Dockerfile"} echo "=== Linting $DOCKERFILE ===" docker run --rm -i hadolint/hadolint < "$DOCKERFILE" || true echo "" echo "=== Security Checks ===" echo "--- USER instruction ---" grep -n 'USER' "$DOCKERFILE" || echo "WARNING: No USER instruction found" echo "" echo "--- HEALTHCHECK instruction ---" grep -n 'HEALTHCHECK' "$DOCKERFILE" || echo "INFO: No HEALTHCHECK instruction found" echo "" echo "--- Exposed ports ---" grep -n 'EXPOSE' "$DOCKERFILE" || echo "No EXPOSE instruction found" echo "" echo "--- COPY vs ADD ---" grep -n 'ADD' "$DOCKERFILE" && echo "Consider using COPY instead of ADD unless you need tar extraction" || echo "Good: No ADD instructions found"