Spot the dangerous Dockerfile line
Pick the dangerous or non-reproducible line in a Dockerfile snippet.
About Dockerfile Watch
Dockerfile Watch shows you a realistic Dockerfile snippet and asks you to pick the most dangerous
or non-reproducible line. Every day everyone gets the same challenge so you can compare results.
Topics include :latest tags, running as root, leaking secrets in ENV/ARG, unsafe
curl | sh chains, missing layer cleanup, and more.
Why it helps
- Build intuition for the most common Dockerfile security and reproducibility pitfalls.
- Learn how small authoring choices affect image size, caching, and runtime privilege.
- Use the related Dockerfile Linter & Best Practice Checker to audit the full file.
Runs locally in your browser. Progress is stored only in this browser.
What this challenge teaches
Spot the dangerous Dockerfile line is a short drill for Dockerfile security and reproducibility. A build file contains one line that could leak secrets, run as root, pin poorly, or make builds non-reproducible.
Example reasoning path
- Read the prompt and identify the artifact type before looking at the answer choices.
- Compare the expected target with each candidate result and eliminate options that are only formatting changes.
- Dangerous lines often look convenient: latest tags, curl-to-shell installers, broad COPY instructions, or root defaults.
After you solve it
Open Dockerfile Linter to apply the same skill to your own data. For a broader practice loop, return to Skill Challenges or open Workflow Gallery when the task needs multiple tools.
Challenge state stays local to this browser. Do not paste production secrets into practice prompts.
Practice notes for real projects
Use this page as a warm-up before touching real project data. Read the prompt, write down the signal you are looking for, and only then compare answer choices. That habit carries over to production debugging, where the first visible error is often a symptom rather than the root cause.
After the challenge, recreate the same pattern in the linked tool with a harmless sample. For example, replace real tokens, user identifiers, hostnames, and request bodies with safe values, then verify that the same reasoning still works. This keeps practice useful without exposing private data.
- Save time by checking the smallest artifact that reproduces the issue.
- Write one sentence explaining why the wrong answers fail; that explanation is the skill to reuse later.
- If the challenge involves security, treat decoded or inspected data as untrusted until a separate verification step confirms it.