Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
dockerfilelint
Advanced tools
A linter for Dockerfiles to find bugs and encourage best practices
dockerfilelint
is an node module that analyzes a Dockerfile and looks for common traps, mistakes and helps enforce best practices.
Global installation with npm package manager.
npm install -g dockerfilelint
Start unit tests with npm test
, yarn run test
, or docker-compose -f docker-compose.test.yml up
./bin/dockerfilelint <path/to/Dockerfile>
Usage: dockerfilelint [files | content..] [options]
Options:
-o, --output Specify the format to use for output of linting results. Valid values
are `json` or `cli` (default). [string]
-j, --json Output linting results as JSON, equivalent to `-o json`. [boolean]
-v, --version Show version number [boolean]
-h, --help Show help [boolean]
Examples:
dockerfilelint Dockerfile Lint a Dockerfile in the current working
directory
dockerfilelint test/example/* -j Lint all files in the test/example directory and
output results in JSON
dockerfilelint 'FROM latest' Lint the contents given as a string on the
command line
dockerfilelint < Dockerfile Lint the contents of Dockerfile via stdin
You can configure the linter by creating a .dockerfilelintrc
with the following syntax:
rules:
uppercase_commands: off
The keys for the rules can be any file in the /lib/reference.js file. At this time, it's only possible to disable rules. They are all enabled by default.
The following rules are supported:
required_params
uppercase_commands
from_first
invalid_line
sudo_usage
apt-get_missing_param
apt-get_recommends
apt-get-upgrade
apt-get-dist-upgrade
apt-get-update_require_install
apkadd-missing_nocache_or_updaterm
apkadd-missing-virtual
invalid_port
invalid_command
expose_host_port
label_invalid
missing_tag
latest_tag
extra_args
missing_args
add_src_invalid
add_dest_invalid
invalid_workdir
invalid_format
apt-get_missing_rm
deprecated_in_1.13
(Replace the pwd
/Dockerfile with the path to your local Dockerfile)
docker run -v `pwd`/Dockerfile:/Dockerfile replicated/dockerfilelint /Dockerfile
If you don't want to install this locally you can try it out on https://fromlatest.io.
FROM
FROM scratch
without a tagFROM <image>@<digest>
syntaxMAINTAINER
RUN
--no-install-recommends
flagrm -rf /var/lib/apt/lists/*
in the same layerapt-get upgrade
or apt-get dist-upgrade
apt-get update
without apt-get install
on the same line--no-cache
flag or be paired with an --update
flag with rm -rf /var/cache/apk/*
in the same layerCMD
CMD
layer is allowedLABEL
EXPOSE
ENV
ENV
ENV
line to reduce cache layer countADD
ADD
command could be a COPY
, then COPY
is preferredADD
to fetch remote files is discouraged because they cannot be removed from the layerCOPY
COPY
multiple files on a single command to best use cacheENTRYPOINT
VOLUME
USER
WORKDIR
WORKDIR
can only expand variables previously set in ENV
commandsARG
ONBUILD
STOPSIGNAL
HEALTHCHECK
NONE
CMD
are validCMD
have additional argumentsFAQs
A linter for Dockerfiles to find bugs and encourage best practices
We found that dockerfilelint demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.