Dockerfile Linter

Paste your Dockerfile to check for common mistakes, security issues, and best-practice violations.

Dockerfile

How to Use

Paste your Dockerfile content into the text area, or click Load Example to see a Dockerfile with typical issues pre-loaded.
Click Lint Dockerfile to run the analysis.
Review each finding: ERROR will cause build failures or critical security issues; WARN is a bad practice you should fix; INFO is an optimization opportunity.
Apply the fix suggestion shown under each finding. Multi-line RUN instructions using \ continuations are parsed correctly.
Re-paste the corrected Dockerfile and lint again to confirm all issues are resolved.

About This Tool

Dockerfiles have many subtle pitfalls that lead to bloated images, unreproducible builds, slow CI pipelines, and security vulnerabilities. Common mistakes include using mutable :latest tags that break reproducibility, running containers as root which magnifies the blast radius of a compromise, not cleaning apt caches which permanently inflates image layers, and using ADD when COPY is more predictable. This linter checks your Dockerfile against well-established best practices from Docker's official documentation and the Hadolint project. It covers security, image size, reproducibility, and correctness — and provides clear, actionable fix suggestions for every finding. All analysis runs entirely in your browser with no data sent to any server.

Frequently Asked Questions

Why should I avoid the `:latest` tag?

The :latest tag is mutable — it points to a different image every time the upstream maintainer publishes a new version. This means the same Dockerfile might produce different images on different days, making debugging difficult and CI pipelines unpredictable. A security patch in the base image can also silently break your build. Always pin to a specific version like ubuntu:24.04 or node:22-alpine for reproducible, auditable builds.

Why does it matter to clean up apt cache in the same RUN step?

Each RUN instruction creates an immutable image layer. If you run apt-get install in one layer and rm -rf /var/lib/apt/lists/* in a separate later layer, the cached package lists are permanently baked into the earlier layer — the cleanup has no effect on the final image size. To actually reduce size, always combine the update, install, and cleanup into a single RUN instruction connected with &&.

Why should I run the container as a non-root user?

By default, Docker containers run as root (UID 0). If your application has a vulnerability that allows arbitrary code execution, an attacker gains root access inside the container, which provides far more capabilities — writing to any file, loading kernel modules, and potentially escaping the container or accessing host resources via misconfigured volume mounts. Adding a USER directive to switch to a non-privileged user before the entrypoint is a simple, high-value security hardening step.

What is the difference between `ADD` and `COPY`?

COPY simply copies files from the build context into the image. ADD has additional hidden behavior: it auto-extracts local tar archives and can fetch files from remote URLs. This extra magic makes ADD less predictable and harder to audit. The Docker team recommends using COPY for all local file copies and using a RUN curl or RUN wget command (with checksum verification) for remote downloads.