Free, browser-based utilities for everyday developer workflows

Lint a Dockerfile before building

Paste a Dockerfile and get best-practice warnings — unpinned base tags, running as root, poor layer ordering — before you spend minutes on a build that you will redo anyway.

Open this example in Dockerfile Linter

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in Dockerfile Linter →

The problem

Dockerfile mistakes are slow to find because each build takes minutes: an unpinned base image breaks reproducibility, running as root is a security risk, and bad layer order busts the cache on every build. Linting first surfaces these before you build.

Sample input

Dockerfile
FROM node:latest
COPY . .
RUN npm install
CMD ["node", "server.js"]

Expected output

Warnings
- Base image uses :latest - pin a specific version (e.g. node:20.11)
- COPY . . before npm install busts the dependency cache on every change
- No USER instruction - container runs as root

Copy only package files before installing, pin the base tag, and add a non-root USER — the three highest-impact fixes here.

How to do it

  1. Paste your Dockerfile.
  2. Run the best-practice checks.
  3. Review each warning and its rationale.
  4. Fix tag pinning, layer order, and the USER instruction.
  5. Re-check before you build.

Common mistakes

  • Using the :latest tag instead of pinning a version.
  • Copying the whole context before installing dependencies, busting the cache.
  • Running the container as root with no USER instruction.
  • Installing build tools and leaving them in the final image.
  • One RUN per command, creating many unnecessary layers.

Related tools

Related guides

FAQ

Why should I not use the latest tag?

The latest tag floats, so a rebuild can pull a different image and break reproducibility. Pin a specific version such as node:20.11 so builds are deterministic.

Why does COPY before npm install slow down builds?

Copying the whole context before installing invalidates the dependency layer whenever any file changes. Copy only the package files first, install, then copy the rest.

Should a container run as root?

No. Add a USER instruction to run as a non-root user, which limits the impact if the container is compromised.

Does linting build the image?

No. Linting only reads the Dockerfile text and reports best-practice issues. It does not run Docker or build anything.

Is my Dockerfile uploaded?

No. The checks run locally in your browser. Your Dockerfile is not sent to a server.

Dockerfile linting runs locally in your browser. Nothing is uploaded.

Explore the full developer toolkit

Lint Dockerfiles, build Kubernetes and Compose manifests, validate YAML — plus every other utility.

Browse all developer tools →