Security News
Supply Chain Attack Detected in Solana's web3.js Library
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
dockerfilelint
Advanced tools
A linter for Dockerfiles to find bugs and encourage best practices
dockerfilelint
is an node module that analyzes a Dockerfile and looks for common traps, mistakes and helps enforce best practices.
Global installation with npm package manager.
npm install -g dockerfilelint
Start unit tests with npm test
, yarn run test
, or docker-compose -f docker-compose.test.yml up
./bin/dockerfilelint <path/to/Dockerfile>
Usage: dockerfilelint [files | content..] [options]
Options:
-o, --output Specify the format to use for output of linting results. Valid values
are `json` or `cli` (default). [string]
-j, --json Output linting results as JSON, equivalent to `-o json`. [boolean]
-v, --version Show version number [boolean]
-h, --help Show help [boolean]
Examples:
dockerfilelint Dockerfile Lint a Dockerfile in the current working
directory
dockerfilelint test/example/* -j Lint all files in the test/example directory and
output results in JSON
dockerfilelint 'FROM latest' Lint the contents given as a string on the
command line
dockerfilelint < Dockerfile Lint the contents of Dockerfile via stdin
You can configure the linter by creating a .dockerfilelintrc
with the following syntax:
rules:
uppercase_commands: off
The keys for the rules can be any file in the /lib/reference.js file. At this time, it's only possible to disable rules. They are all enabled by default.
The following rules are supported:
required_params
uppercase_commands
from_first
invalid_line
sudo_usage
apt-get_missing_param
apt-get_recommends
apt-get-upgrade
apt-get-dist-upgrade
apt-get-update_require_install
apkadd-missing_nocache_or_updaterm
apkadd-missing-virtual
invalid_port
invalid_command
expose_host_port
label_invalid
missing_tag
latest_tag
extra_args
missing_args
add_src_invalid
add_dest_invalid
invalid_workdir
invalid_format
apt-get_missing_rm
deprecated_in_1.13
(Replace the pwd
/Dockerfile with the path to your local Dockerfile)
docker run -v `pwd`/Dockerfile:/Dockerfile replicated/dockerfilelint /Dockerfile
If you don't want to install this locally you can try it out on https://fromlatest.io.
FROM
FROM scratch
without a tagFROM <image>@<digest>
syntaxMAINTAINER
RUN
--no-install-recommends
flagrm -rf /var/lib/apt/lists/*
in the same layerapt-get upgrade
or apt-get dist-upgrade
apt-get update
without apt-get install
on the same line--no-cache
flag or be paired with an --update
flag with rm -rf /var/cache/apk/*
in the same layerCMD
CMD
layer is allowedLABEL
EXPOSE
ENV
ENV
ENV
line to reduce cache layer countADD
ADD
command could be a COPY
, then COPY
is preferredADD
to fetch remote files is discouraged because they cannot be removed from the layerCOPY
COPY
multiple files on a single command to best use cacheENTRYPOINT
VOLUME
USER
WORKDIR
WORKDIR
can only expand variables previously set in ENV
commandsARG
ONBUILD
STOPSIGNAL
HEALTHCHECK
NONE
CMD
are validCMD
have additional argumentsFAQs
A linter for Dockerfiles to find bugs and encourage best practices
The npm package dockerfilelint receives a total of 3,704 weekly downloads. As such, dockerfilelint popularity was classified as popular.
We found that dockerfilelint demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.