Skip to main content
lab.golamrabbani.org

Dockerfile Linter

Lint a Dockerfile for unpinned images, missing apt cleanup, and shell-form CMD.

Written by Golam Rabbani, Founder & Lead Engineer

Paste your Dockerfile to check for common mistakes: unpinned base images, missing apt cleanups, deprecated MAINTAINER, shell-form CMD/ENTRYPOINT, and more. Rules follow Hadolint conventions. Everything runs locally in your browser.

How to use this dockerfile linter

  1. Paste your Dockerfile into the text area — the whole file at once is best.
  2. Click Lint to run the rule set against every instruction in the file.
  3. Read the findings list: each row shows line number, rule ID, severity, and what to change.
  4. Fix the offending lines in your editor and re-run the linter to confirm the file is clean.
  5. Click Copy report to grab a plain-text summary for code review or a pull-request comment.

About this dockerfile linter

The Dockerfile linter runs a Hadolint-style ruleset entirely in your browser to catch the mistakes that cost you build time, image size, and security. It joins continuation lines (`\`) into single instructions, then checks each one against rules covering deprecated syntax, unpinned base images, missing apt cleanup, shell-form CMD, sudo usage, and more.

Every finding has a severity — error, warning, or info — and a Hadolint-style rule ID like DL3007 for the `latest` tag warning or DL3025 for shell-form CMD. The linter joins continuation lines (\) before evaluating each instruction, so it spots problems in multi-line RUN blocks too.

For example, this Dockerfile:

FROM node:latest MAINTAINER [email protected] RUN apt-get install curl WORKDIR app CMD npm start

will produce: DL3007 warning on line 1 (avoid `latest`), DL4000 error on line 2 (MAINTAINER is deprecated, use LABEL), DL3014 warning on line 3 (missing -y), DL3009 warning on line 3 (no apt lists cleanup), DL3000 warning on line 4 (WORKDIR must be absolute), and DL3025 warning on line 5 (CMD should use the JSON exec form). All checks run client-side; the Dockerfile never leaves your browser.

FAQ

Does this tool send my Dockerfile to a server?
No. The rule set is bundled with the page, so linting happens entirely in your browser. Your Dockerfile is never uploaded, logged, or stored.
How is this different from running Hadolint locally?
It runs the same kind of checks but with no install. You get instant feedback in any browser without setting up Go binaries, Docker images, or CI plumbing. For full coverage in CI, install Hadolint as well — this linter is great for the first-pass cleanup and quick reviews.
What do the rule codes like DL3007 mean?
They follow the Hadolint convention — `DL` for Dockerfile lint, followed by a stable identifier. DL3007 is "avoid the latest tag", DL3009 is "delete apt lists in the same RUN", DL3025 is "use exec form for CMD/ENTRYPOINT", and so on. They make it easy to look up the rationale in Hadolint docs or suppress per-line in a real CI run.
Why does the linter complain about my CMD line?
Shell-form CMD (e.g. `CMD npm start`) launches your process via `/bin/sh -c`, which means it does not receive Unix signals correctly — your container will not handle SIGTERM cleanly on shutdown. Switch to the JSON exec form: `CMD ["npm", "start"]`.
Does the linter cover multi-stage Dockerfiles?
Yes. It walks every instruction in the order it appears, including those inside additional FROM stages. Cross-stage references like `COPY --from=builder` are accepted; the rules that fire apply to whichever stage they appear in.
Is this Dockerfile linter free to use?
Yes, it is completely free with no account, no signup, and no usage limits.