Dockerfile Linter
Paste your Dockerfile to instantly catch best-practice violations, security issues, and image-size bloat — with rule codes and line numbers.
Paste a Dockerfile to start linting.
Errors Detected
- × Missing FROM — every Dockerfile must begin with a
FROMinstruction. - × Unknown instruction — typo or invalid Dockerfile directive.
- × Instruction before FROM — only
ARGis allowed before the firstFROM. - × Invalid EXPOSE port — must be between 1 and 65535.
Warnings & Suggestions
- ! DL3007 — pin a specific tag instead of
:latest. - ! DL3015 / DL3009 — apt-get needs
--no-install-recommendsand cache cleanup. - ! DL3020 — use
COPYinstead ofADDfor local files. - ! DL3003 — use
WORKDIRinstead ofcd. - ! DL4000 — MAINTAINER is deprecated, use LABEL instead.
- i Missing USER, WORKDIR, HEALTHCHECK, exec form for CMD/ENTRYPOINT, pinned pip versions, layer-merging hints.
Frequently Asked Questions
What rules does this linter check?
It checks 20+ common Dockerfile issues inspired by Hadolint, including missing FROM, unpinned image tags, deprecated MAINTAINER, ADD vs COPY, apt-get hygiene, exec-form CMD/ENTRYPOINT, missing USER/WORKDIR/HEALTHCHECK, multiple CMDs, pip version pinning, and layer-count hints.
Is my Dockerfile sent to a server?
No — all linting runs entirely in your browser. Your Dockerfile never leaves your machine.
Is this the same as Hadolint?
This tool is inspired by Hadolint and reuses its rule codes (DLxxxx) for familiarity, but it is a standalone JavaScript implementation. For full coverage in CI, run the official Hadolint binary.
Why are some "info" notices shown for things that work fine?
Info-level notices flag stylistic improvements and best practices that won't break your build but improve security, reproducibility, or image size. Errors and warnings are higher priority.
About Dockerfile Linter
The Dockerfile Linter is a free, browser-based tool that checks your Dockerfile against 20+ best-practice rules — inspired by the popular Hadolint project. It catches security issues, image-size bloat, deprecated instructions, and reproducibility problems before you build.
- Detects errors, warnings, and improvement suggestions in real time
- Pinpoints issues with exact line numbers and Hadolint-style rule codes
- Flags
:latesttags, deprecated MAINTAINER, and ADD vs COPY misuse - Catches apt-get pitfalls: missing
--no-install-recommends, missing update, no cache cleanup - Reminds you to add
USER,WORKDIR, andHEALTHCHECK - 100% client-side — your Dockerfile never leaves your browser
How to Use the Dockerfile Linter
- 1
Paste your Dockerfile
Drop the contents of your
Dockerfileinto the left editor, or click "Sample Dockerfile" to load one with intentional issues. - 2
Review the lint results
Issues appear on the right grouped by severity (Errors, Warnings, Suggestions) with Hadolint-style rule codes (e.g. DL3007) and line numbers.
- 3
Fix the issues in place
Edit your Dockerfile in the left editor — the linter re-runs automatically after a short pause so you see issues clear as you fix them.
- 4
Copy the cleaned Dockerfile
Click "Copy Input" to grab the validated Dockerfile back to your clipboard, ready to commit.
Tip: Load the sample first to see every rule in action — it deliberately triggers the most common Dockerfile mistakes.
Common Use Cases
Pre-commit Local Check
- • Catch issues before pushing to CI
- • Spot deprecated MAINTAINER and unpinned tags
- • Validate exec-form CMD/ENTRYPOINT
Image Size Optimization
- • Find missing
--no-install-recommends - • Detect missing apt cache cleanup
- • Get layer-merging hints when too many RUNs
Container Security Review
- • Verify a non-root
USERis set - • Catch
sudousage - • Encourage
HEALTHCHECKfor orchestrators
CI/CD Pipeline Prep
- • Reproduce Hadolint findings before running the binary
- • Tune Dockerfiles for Kubernetes & ECS
- • Reduce build cache misses
Learning Docker
- • See live feedback on best practices
- • Understand why each rule matters
- • Compare your Dockerfile to expert patterns
Code Review
- • Drop a teammate's Dockerfile in to spot issues fast
- • Generate a clear list of fixes with rule codes
- • Document the "why" behind each suggestion
More Questions About Dockerfile Linting
What is Dockerfile linting?
Dockerfile linting is the practice of statically analysing a Dockerfile to find best-practice violations, security issues, and image-size inefficiencies before the image is built. It catches problems early — exactly like ESLint does for JavaScript or shellcheck for Bash.
Why should I avoid the :latest tag?
:latest is a moving target — the image
can change underneath you, breaking builds and making them non-reproducible. Pin to a specific
tag (node:20.11-alpine) or, even better,
to a digest (@sha256:...).
When should I use ADD vs COPY?
Use COPY for plain files and directories
— it's explicit and predictable. Reserve ADD for the two cases it's actually needed: fetching a URL or auto-extracting a tar archive.
Why combine RUN instructions?
Each RUN creates a new image layer that
ships in the final image. Combining commands with && and using line-continuations (\) keeps
layers minimal and lets you clean up temp files in the same layer.
Why is exec-form preferred for CMD and ENTRYPOINT?
Exec form (["node", "app.js"]) runs
the binary directly without wrapping it in a shell, so signals (SIGTERM on container stop)
reach your process. Shell form (CMD node app.js)
launches via /bin/sh -c, which often
eats signals and breaks graceful shutdown.
Should every Dockerfile set a USER?
Yes — running as root is a security risk. Even if your container is sandboxed, dropping to
a non-privileged user (USER node, USER 1000) limits the blast radius of
any compromise.
Does this replace Hadolint?
Not entirely. This linter covers the most impactful rules and runs entirely in your browser — perfect for quick checks. For full rule coverage in CI/CD, run the official Hadolint binary.
Is my Dockerfile safe to paste here?
Yes. All linting runs client-side in JavaScript — nothing is transmitted, logged, or stored. You can safely paste internal Dockerfiles or proprietary base-image references.