New action: Dockerfile Linter

October 24, 2019

New action: Dockerfile Linter

Hey there, Docker junkies! We know that you love you Docker, and you know that we love Docker, so why not help our blue friend stay fit & healthy together? For this, we have created a new action called Dockerfile Linter. The linter lets you verify Dockerfile syntax to make sure it follows the best practices for building efficient Docker images.

Dockerfile linterDockerfile linter

Configuration is very simple and basically involves selecting the Dockerfile from the filesystem and the shell in which the instructions will be analyzed (sh, bash, dash, ksh):

Dockerfile linter detailsDockerfile linter details

If the linter encounters incorrect code that can affect security or performance of the Docker image, the action will stop the execution and mark the pipeline as failed. The full list of errors is available in the table at the bottom.
The tool is very thorough and will always return all types of errors – even directives. If you wish, you can leave out specific error types in the Ignore tab of the action details.

The linter should always come as the first action in Docker-building pipelines. We also recommend adding a conditional notification to let your team know in case something goes wrong:

Example pipelineExample pipeline

The linter was written as an open-source project hosted on GitHub that can be used with any CI/CD tool. Stay tuned for more info in the weeks to come!

Rules table

EL0001Invalid line
ED0001All parser directives must be at the very top of a Dockerfile.
ED0002Directive appears more then once.
ED0003Directives should be lowercase.
ED0004Parser directive will be treated as a comment.
ED0005Missing value for directive.
ER0001Set the SHELL option -o (-eo for Alpine image) pipefail before RUN with a pipe in.
EU0001Last user should not be root.
EI0001There can only be one instruction like (CMD, HEALTHCHECK, ENTRYPOINT).
EI0002FROM may only be preceded by one or more ARG.
EF0001Missing FROM.
EC0001COPY --from cannot reference its own FROM alias.
EC0002COPY --from should reference a previously defined FROM alias.
EI0003MAINTAINER is deprecated, instead use LABEL.
EJ0001You must use double-quotes (") in JSON array.
EJ0002CMD and ENTRYPOINT should be written in JSON form.
EJ0003SHELL must be written in JSON form.
EF0002FROM aliases must be unique.
EF0003Using latest is prone to errors if the image will ever update.
EF0004Always tag the version of an image explicitly.
ER0002Delete the apt-get lists after installing something.
ER0003Use WORKDIR to switch to a directory.
ER0004Do not use sudo, consider using gosu.
ER0005Command (ssh, vim, shutdown, service, ps, free, top, kill, mount, ifconfig) does not make sense in a container.
ER0006Using (apt-get upgrade, dist-upgrade, apk upgrade, apt install) is not recommended.
EA0001Use curl or wget instead, and delete files when no longer needed.
EC0003Use ADD for extracting archives into a image.
ER0007Either use wget or curl, but not both.
ER0008Use SHELL to change the default shell.
ER0009Use the -y switch.
ER0010Avoid additional packages by specifying --no-install-recommends.
EA0002Use COPY instead of ADD for files and folders.
EC0004COPY with more then 2 arguments requires the last argument to end with /.
ER0011Use the --no-cache switch.
ER0012Pin versions in apt get install.
ER0013Pin versions in pip install.
ER0014Pin versions in npm install.
ER0015Pin versions in apk add.
ER0016Pin versions in gem install.
EW0001Use absolute WORKDIR.
EE0001Valid UNIX ports range from 0 to 65535.
EI0005Instructions should be uppercase.


Alexander Kus

Alexander Kus

Customer Success Manager

A story-teller and conversation-lover, Alexander decided to invest his skills to help his friends at Buddy transform the cold language of patch notes into exciting narratives. Also: an avid gamer, hip-hop DJ, Liverpool FC fan, absentminded husband, and the father of two.