24 October 2019

New action: Dockerfile Linter

New action: Dockerfile Linter

Hey there, Docker junkies! We know that you love you Docker, and you know that we love Docker, so why not help our blue friend stay fit & healthy together? For this, we have created a new action called Dockerfile Linter. The linter lets you verify Dockerfile syntax to make sure it follows the best practices for building efficient Docker images.

Dockerfile linter
Dockerfile linter

Configuration is very simple and basically involves selecting the Dockerfile from the filesystem and the shell in which the instructions will be analyzed (sh, bash, dash, ksh):

Dockerfile linter details
Dockerfile linter details

If the linter encounters incorrect code that can affect security or performance of the Docker image, the action will stop the execution and mark the pipeline as failed. The full list of errors is available in the table at the bottom.

The tool is very thorough and will always return all types of errors – even directives. If you wish, you can leave out specific error types in the Ignore tab of the action details.

The linter should always come as the first action in Docker-building pipelines. We also recommend adding a conditional notification to let your team know in case something goes wrong:

Example pipeline
Example pipeline

The linter was written as an open-source project hosted on GitHub that can be used with any CI/CD tool. Stay tuned for more info in the weeks to come!

Rules table

Rules Description
EL0001 Invalid line
ED0001 All parser directives must be at the very top of a Dockerfile.
ED0002 Directive appears more then once.
ED0003 Directives should be lowercase.
ED0004 Parser directive will be treated as a comment.
ED0005 Missing value for directive.
ER0001 Set the SHELL option -o (-eo for Alpine image) pipefail before RUN with a pipe in.
EU0001 Last user should not be root.
EI0001 There can only be one instruction like (CMD, HEALTHCHECK, ENTRYPOINT).
EI0002 FROM may only be preceded by one or more ARG.
EF0001 Missing FROM.
EC0001 COPY --from cannot reference its own FROM alias.
EC0002 COPY --from should reference a previously defined FROM alias.
EI0003 MAINTAINER is deprecated, instead use LABEL.
EJ0001 You must use double-quotes (“) in JSON array.
EJ0002 CMD and ENTRYPOINT should be written in JSON form.
EJ0003 SHELL must be written in JSON form.
EF0002 FROM aliases must be unique.
EF0003 Using latest is prone to errors if the image will ever update.
EF0004 Always tag the version of an image explicitly.
ER0002 Delete the apt-get lists after installing something.
ER0003 Use WORKDIR to switch to a directory.
ER0004 Do not use sudo, consider using gosu.
ER0005 Command (ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig) does not make sense in a container.
ER0006 Using (apt-get upgrade, dist-upgrade, apk upgrade, apt install) is not recommended.
EA0001 Use curl or wget instead, and delete files when no longer needed.
EC0003 Use ADD for extracting archives into a image.
ER0007 Either use wget or curl, but not both.
ER0008 Use SHELL to change the default shell.
ER0009 Use the -y switch.
ER0010 Avoid additional packages by specifying --no-install-recommends.
EA0002 Use COPY instead of ADD for files and folders.
EC0004 COPY with more then 2 arguments requires the last argument to end with /.
ER0011 Use the --no-cache switch.
ER0012 Pin versions in apt get install.
ER0013 Pin versions in pip install.
ER0014 Pin versions in npm install.
ER0015 Pin versions in apk add.
ER0016 Pin versions in gem install.
EW0001 Use absolute WORKDIR.
EE0001 Valid UNIX ports range from 0 to 65535.
EI0005 Instructions should be uppercase.