Hadolint

Hadolint is a Dockerfile linter and Haskell-based static analysis tool. It analyzes container image configuration files against a set of rules to ensure valid syntax and adherence to best practices.

The tool functions as a wrapper for shell checkers to inspect inline shell commands and scripts within build instructions, identifying scripting errors and bugs. It also includes security auditing capabilities to warn when images are pulled from registries not explicitly listed as trusted.

The analysis engine covers quality assurance through label schema validation, syntax pattern verification, and image optimization. Users can manage the process via configuration files to control rule severity, suppress specific warnings, and define shell compatibility for non-POSIX environments.

Features

Dockerfile Utilities - Checks Dockerfiles for syntax errors and problematic patterns to ensure high quality image construction.

Static Analysis Pattern Matching - Matches Dockerfile instructions against a predefined set of static analysis rules to identify suboptimal build patterns.

ShellCheck Wrappers - Inspects inline shell commands within Dockerfiles to identify scripting errors and bugs by wrapping ShellCheck.

Build Automation - Integrates automated checks into CI pipelines to prevent faulty Dockerfiles from being deployed to production.

Configuration Validation - Inspects image build definitions without executing the container to ensure adherence to industry best practices.

Development Best Practices - Analyzes configuration files against a set of predefined rules to ensure images are built using industry best practices.

Instruction-Level AST Analysis - Parses Dockerfiles into abstract syntax trees to validate label schemas and instruction parameters.

Shell Script Validators - Delegates the validation of inline script commands to an external shell checker to detect POSIX syntax errors.

Shell Compatibility Mapping - Allows specifying the shell used by a base image to automatically ignore rules that do not apply to non-POSIX environments.

Shell Scripting Linters - Integrates a shell checker to detect syntax errors and bugs in inline shell commands within Dockerfiles.

Static Analysis Tools - Implements a static analysis engine written in Haskell to validate container image configuration files.

Container Image Optimizers - Enforces industry best practices during the build process to create smaller and more efficient container images.

Shell Environment Detection - Determines the target shell environment of a base image to disable rules incompatible with non-POSIX shells.

Security Auditing - Verifies that images are pulled from trusted registries and follow secure configuration standards.

Repository Trust Verifiers - Warns when images are pulled from repositories that are not explicitly listed as trusted in the project configuration.

Metadata Schema Validations - Verifies that labels are present and conform to specific formats such as semantic versioning, URLs, or timestamps.

Rule Configuration Engines - Provides a system for managing, toggling, and customizing the severity and exclusion of diagnostic rules via configuration files.

Warning Suppressions - Provides the ability to suppress specific warnings globally via configuration files or for individual statements using inline comments.

Linter Exit Code Thresholds - Enables customizing the severity of specific rules and setting failure thresholds to determine non-zero exit codes.

Container Security - Smarter linter for building best-practice Dockerfiles.

Infrastructure and Configuration - Smarter Dockerfile linter for best practices.

lukasmartinellihadolint

Features

Star history