Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

dockerfilelint

Package Overview
Dependencies
Maintainers
1
Versions
19
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

dockerfilelint

A linter for Dockerfiles to find bugs and encourage best practices

  • 0.0.8
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
2.9K
decreased by-33.78%
Maintainers
1
Weekly downloads
 
Created
Source

Linter and validator for Dockerfile

Dockerfileint is an npm module that analyzes a Dockerfile and looks for common traps, mistakes and helps enforce best practices:

Testing

Start unit tests with npm test

Running

From the command line:

./bin/dockerfilelint <path/to/Dockerfile>

Checks performed

FROM

  • This should be the first command in the Dockerfile
  • Base image should specify a tag
  • Base image should not use latest tag
  • Support FROM scratch without a tag
  • Support the FROM <image>@<digest> syntax
  • Allow config to specify "allowed" base layers

MAINTAINER

  • Should be followed by exactly 1 parameter (@ sign)

RUN

  • sudo is not included in the command
  • apt-get [install | upgrade | remove] should include a -y flag
  • apt-get install commands should include a --no-install-recommends flag
  • apt-get install commands should be paired with a rm -rf /var/lib/apt/lists/* in the same layer
  • Avoid running apt-get upgrade or apt-get dist-upgrade
  • Never run apt-get update without apt-get install on the same line
  • handle best practices for yum operations and cleanup

CMD

  • Only a single CMD layer is allowed
  • Better handling of escaped quotes
  • Detect exec format with expected variable substitution

LABEL

  • Format should be key=value

EXPOSE

  • Only the container port should be listed
  • All ports should be exposed in a single cache layer (line)
  • The same port number should not be exposed multiple times
  • Exposed ports should be numeric and in the accepted range

ENV

  • Format of ENV
  • Best practice of only using a single ENV line to reduce cache layer count

ADD

  • Command should have at least 2 parameters
  • Source command(s) cannot be absolute or relative paths that exist outside of the current build context
  • Commands with wildcards or multiple sources require that destination is a directory, not a file
  • If an ADD command could be a COPY, then COPY is preferred
  • Using ADD to fetch remote files is discouraged because they cannot be removed from the layer

COPY

  • Implement checking (similar to ADD)
  • Do not COPY multiple files on a single command to best use cache

ENTRYPOINT

  • Support

VOLUME

  • Format
  • Any build steps after VOLUME is declare should not change VOLUME contents
  • If JSON format, double quotes are required

USER

  • Should be followed by exactly 1 parameter

WORKDIR

  • Validate that it has exactly 1 parameter
  • WORKDIR can only expand variables previously set in ENV commands

ARG

  • Support
  • Prevent redefining the built in ARGs (proxy)

ONBUILD

  • Support

STOPSIGNAL

  • Validate input
  • Only present one time

Misc

  • Only valid Dockerfile commands are present
  • All commands should have at least 1 parameter
  • Check that commands are written as upper case commands

Keywords

FAQs

Package last updated on 11 Feb 2016

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc