Dockerfile Linter / Best-Practice Checker
Detect common Dockerfile issues such as unpinned base images, root-user containers, missing multi-stage builds, and oversized copy steps.
- Flags risky patterns before CI or image scanning catches them later.
- Highlights stage count, base image pinning, and common package-install cleanup issues.
- Useful for app teams, platform teams, and code review checklists.
- Share results: Generate a secure link to share your current input and results with teammates — nothing is uploaded to any server.
Dockerfile input
Summary
This browser tool is not a full replacement for Hadolint, ShellCheck, or Trivy. Use them in CI for enforcement and image vulnerability scanning.
Run a lint to see stages.
ARG / ENV / RUN persist in image history — deleting them in a later layer does not remove them. Use BuildKit secrets (RUN --mount=type=secret) or runtime env vars from a secret manager.Security findings are also visible in the main Findings tab (filter by category = Security).
Cache and size findings (Build Cache + Image Size) are listed in the Findings tab — filter by category. Common quick wins:
- Copy the package manifest before
COPY . .and install dependencies on its own layer. - Combine
apt-get update && apt-get install -y --no-install-recommends <pkgs> && rm -rf /var/lib/apt/lists/*. - Use
apk add --no-cache,pip install --no-cache-dir,npm ci. - Switch to a multi-stage build for compiled or build-heavy languages.
- Add a strong .dockerignore (next tab).
- Use BuildKit cache mounts for heavy package managers.
Paste an existing .dockerignore (optional) and run a lint.
Run a lint to see fix suggestions.
Templates are starting points — adapt to your build/output paths. Loading a template will replace your current input (with confirmation).
No external scanner is invoked. For image vulnerability/SBOM scanning, run trivy, docker scout cves, or your platform's scanner from CI.
Run a lint to see next steps.