Hadolint
Dockerfile linter, validate inline bash, written in Haskell
Install / Use
/learn @hadolint/HadolintREADME
Haskell Dockerfile Linter
[![Build Status][github-actions-img]][github-actions] [![GPL-3 licensed][license-img]][license] [![GitHub release][release-img]][release] ![GitHub downloads][downloads-img] <img align="right" alt="pipecat" width="150" src="https://hadolint.github.io/hadolint/img/cat_container.png" />
A smarter Dockerfile linter that helps you build [best practice][] Docker
images. The linter parses the Dockerfile into an AST and performs rules on
top of the AST. It stands on the shoulders of [ShellCheck][] to lint
the Bash code inside RUN instructions.
:globe_with_meridians: Check the online version on
hadolint.github.io/hadolint
Table of Contents
- How to use
- Install
- CLI
- Configure
- Non-Posix Shells
- Ignoring Rules
- Linting Labels
- Integrations
- Rules
- Develop
- Alternatives
How to use
You can run hadolint locally to lint your Dockerfile.
hadolint <Dockerfile>
hadolint --ignore DL3003 --ignore DL3006 <Dockerfile> # exclude specific rules
hadolint --trusted-registry my-company.com:500 <Dockerfile> # Warn when using untrusted FROM images
Docker comes to the rescue, providing an easy way how to run hadolint on most
platforms.
Just pipe your Dockerfile to docker run:
docker run --rm -i hadolint/hadolint < Dockerfile
# OR
docker run --rm -i ghcr.io/hadolint/hadolint < Dockerfile
or using Podman:
podman run --rm -i docker.io/hadolint/hadolint < Dockerfile
# OR
podman run --rm -i ghcr.io/hadolint/hadolint < Dockerfile
or using Windows PowerShell:
cat .\Dockerfile | docker run --rm -i hadolint/hadolint
Install
You can download prebuilt binaries for OSX, Windows and Linux from the latest
[release page][]. However, if this does not work for you, please fall back to
container (Docker), brew or source installation.
On OSX, you can use brew to install hadolint.
brew install hadolint
On Windows, you can use scoop to
install hadolint.
scoop install hadolint
On distributions that have nix installed, you can use the hadolint
package to run ad-hoc shells or permanently install hadolint into
your environment.
As mentioned earlier, hadolint is available as a container image:
docker pull hadolint/hadolint
# OR
docker pull ghcr.io/hadolint/hadolint
If you need a container with shell access, use the Debian or Alpine variants:
docker pull hadolint/hadolint:latest-debian
# OR
docker pull hadolint/hadolint:latest-alpine
# OR
docker pull ghcr.io/hadolint/hadolint:latest-debian
# OR
docker pull ghcr.io/hadolint/hadolint:latest-alpine
You can also build hadolint locally. You need [Haskell][] and the [cabal][]
build tool to build the binary.
git clone https://github.com/hadolint/hadolint \
&& cd hadolint \
&& cabal configure \
&& cabal build \
&& cabal install
If you want the VS Code Hadolint extension to use Hadolint in a container, you can use the following wrapper script:
#!/bin/bash
dockerfile="$1"
shift
docker run --rm -i hadolint/hadolint hadolint "$@" - < "$dockerfile"
CLI
hadolint --help
hadolint - Dockerfile Linter written in Haskell
Usage: hadolint [-v|--version] [-c|--config FILENAME] [DOCKERFILE...]
[--file-path-in-report FILEPATHINREPORT] [--no-fail]
[--no-color] [-V|--verbose] [-f|--format ARG] [--error RULECODE]
[--warning RULECODE] [--info RULECODE] [--style RULECODE]
[--ignore RULECODE]
[--trusted-registry REGISTRY (e.g. docker.io)]
[--require-label LABELSCHEMA (e.g. maintainer:text)]
[--strict-labels] [--disable-ignore-pragma]
[-t|--failure-threshold THRESHOLD]
Lint Dockerfile for errors and best practices
Available options:
-h,--help Show this help text
-v,--version Show version
-c,--config FILENAME Path to the configuration file
--file-path-in-report FILEPATHINREPORT
The file path referenced in the generated report.
This only applies for the 'checkstyle', 'codeclimate',
'sonarqube' and 'gitlab_codeclimate' formats and is
useful when running Hadolint with Docker to set the
correct file path.
--no-fail Don't exit with a failure status code when any rule
is violated
--no-color Don't colorize output
-V,--verbose Enables verbose logging of hadolint's output to
stderr
-f,--format ARG The output format for the results [tty | json |
checkstyle | codeclimate | gitlab_codeclimate | gnu |
codacy | sonarqube | sarif] (default: tty)
--error RULECODE Make the rule `RULECODE` have the level `error`
--warning RULECODE Make the rule `RULECODE` have the level `warning`
--info RULECODE Make the rule `RULECODE` have the level `info`
--style RULECODE Make the rule `RULECODE` have the level `style`
--ignore RULECODE A rule to ignore. If present, the ignore list in the
config file is ignored
--trusted-registry REGISTRY (e.g. docker.io)
A docker registry to allow to appear in FROM
instructions
--require-label LABELSCHEMA (e.g. maintainer:text)
The option --require-label=label:format makes
Hadolint check that the label `label` conforms to
format requirement `format`
--strict-labels Do not permit labels other than specified in
`label-schema`
--disable-ignore-pragma Disable inline ignore pragmas `# hadolint
ignore=DLxxxx`
-t,--failure-threshold THRESHOLD
Exit with failure code only when rules with a
severity equal to or above THRESHOLD are violated.
Accepted values: [error | warning | info | style |
ignore | none] (default: info)
Configure
Configuration files can be used globally or per project. Hadolint looks for configuration files in the following locations or their platform specific equivalents in this order and uses the first one exclusively:
$PWD/.hadolint.yaml$XDG_CONFIG_HOME/hadolint.yaml$HOME/.config/hadolint.yaml$HOME/.hadolint/hadolint.yaml or $HOME/hadolint/config.yaml$HOME/.hadolint.yaml
In windows, the %LOCALAPPDATA% environment variable is used instead of
XDG_CONFIG_HOME. Config files can have either yaml or yml extensions.
hadolint full yaml config file schema
failure-threshold: string # name of threshold level (error | warning | info | style | ignore | none)
format: string # Output format (tty | json | checkstyle | codeclimate | gitlab_codeclimate | gnu | codacy)
ignored: [string] # list of rules
label-schema: # See Linting Labels below for specific label-schema details
author: string # Your name
contact: string # email address
created: timestamp # rfc3339 datetime
version: string # semver
documentation: string # url
git-revision: string # hash
license: string # spdx
no-color: boolean # true | false
no-fail: boolean # true | false
override:
error: [string] # list of rules
warning: [string] # list of rules
info: [string] # list of rules
style: [string] # list of rules
strict-labels: boolean # true | false
disable-ignore-pragma: boolean # true | false
trustedRegistries: string | [string] # registry or list of registries
hadolint supports specifying the ignored rules using a configuration
file. The configuration file should be in yaml format. This is one
valid configuration file as an example:
ignored:
- DL3000
- SC1010
Additionally, hadolint can warn you when images from untrusted
repositories are being used in Dockerfiles, you can append the
trustedRegistries keys to the configuration file, as shown below:
ignored:
- DL3000
- SC1010
trustedRegistries:
- docker.io
- my-company.com:5000
- "*.gcr.io"
If you want to override the severity of specific rules, you can do that too:
override:
error:
- DL3001
- DL3002
warning:
- DL3042
- DL3033
info:
- DL3032
style:
- DL3015
failure-threshold Exit with failure code only when rules with a
severity above THRESHOLD are violated (Available in v2.6.0+)
failure-threshold: info
override:
warning:
- DL3042
- DL3033
info:
- DL3032
Additi
Related Skills
node-connect
330.3kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
prose
330.3kOpenProse VM skill pack. Activate on any `prose` command, .prose files, or OpenProse mentions; orchestrates multi-agent workflows.
frontend-design
81.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
sonoscli
330.3kControl Sonos speakers (discover/status/play/volume/group).
