What do the rule IDs like DL3007 mean?

The prefix is the **family**: `DL` for hadolint Dockerfile rules, `SC` for ShellCheck rules. The number is the **rule number** in the public catalog. `DL3007` is "Do not use the :latest tag". `SC2086` is "Quote shell variables to prevent word splitting". Looking up an ID on the hadolint or ShellCheck GitHub repos gives the full description, rationale, and examples.

Why is :latest specifically a problem?

Because **:latest is a moving target**. `FROM node:latest` builds with whatever Node version was tagged latest at the moment of the build. Three months later the image rebuilds (CI cache invalidated, base image refresh, anything) and Node 22 is now Node 24 with breaking changes. Pin to a **specific version** like `node:20.11-alpine`, or better, **a digest** like `node:20.11-alpine@sha256:abc...` for full reproducibility. Trade-off: a digest requires manual bumps.

apt-get install + cleanup, why on one RUN?

Because **each `RUN` instruction is a separate layer**. Layer 1 installs packages -> 200 MB. Layer 2 deletes `/var/lib/apt/lists` -> 0 MB, but **layer 1 still ships the 200 MB**. Docker layers are append-only; you cannot remove content in a later layer. So the pattern is **install + clean in one RUN**: `RUN apt-get update && apt-get install -y --no-install-recommends curl=1.2 && rm -rf /var/lib/apt/lists/*`. The 200 MB never enters a layer.

Why is ADD considered worse than COPY?

Because **ADD has hidden magic**. It does three things: copy local files (like COPY), fetch from URLs (sometimes useful, often unexpected), and auto-extract tarballs (`ADD foo.tar.gz /app/` extracts it). The auto-extract surprises people. **COPY** does one thing predictably. Hadolint says: use COPY for local files (`DL3020`); reach for ADD only when you actually want a URL fetch or a tarball extract. The fix in this linter rewrites `ADD` to `COPY` only when the path is local.

CMD shell form vs exec form, what is the difference?

**Shell form**: `CMD npm run start`. Docker wraps this in `/bin/sh -c "npm run start"`. The actual PID 1 is the **shell**, not your app. The shell **does not forward signals** to your child, so `docker stop` sends SIGTERM to the shell, which often gets ignored. Container takes 10 seconds (the default stop timeout) to die. **Exec form**: `CMD ["npm", "run", "start"]`. Your app is PID 1 directly, signals reach it. Graceful shutdown actually works. Always prefer the exec form (`DL3025`).

Why does running as root matter?

Three reasons. **One**, defense in depth: if there is a vulnerability in your app, root inside the container can break out faster (think CVEs in older runc versions). **Two**, Kubernetes Pod Security Standards reject root by default in restricted mode; many orgs run with that. **Three**, file permissions are confusing when your app writes as root and someone else reads as a normal user (volume mounts). Add `USER 65532:65532` (or a named user created with `adduser`) toward the end of the Dockerfile, then make sure paths your app writes to are writable by that UID.

What is HEALTHCHECK for?

HEALTHCHECK is a command Docker runs periodically to ask "is the container ready?". Output: `healthy` / `unhealthy`. Docker exposes this status to **orchestrators**: `docker compose up --wait` waits for healthy; Kubernetes can use a similar mechanism via probes; Swarm reschedules unhealthy tasks. Without a HEALTHCHECK, the container is just "running", which is not the same as "ready to accept work". Add one for long-running services: `HEALTHCHECK --interval=30s --timeout=5s CMD wget -q --spider http://localhost:3000/health || exit 1`.

Why bother pinning by digest?

Because **a tag is a label, a digest is the content**. Even `node:20.11-alpine` can be **republished** with a different content (security fix, base layer update). Most of the time the change is welcome, but in regulated environments or for forensic reproducibility, you want `node:20.11-alpine@sha256:abc...`. After pinning, the only way the image content changes is if you bump the digest in the Dockerfile and rebuild. Trade-off: you must remember to update for security fixes (use automated tooling like Renovate).

Can the linter reformat my entire Dockerfile?

**Partially.** Simple substitutions are automatic: `MAINTAINER` becomes `LABEL maintainer`, `ADD` becomes `COPY` when the source is a local path. Complex changes need a human: pinning versions requires picking the right version, merging RUNs requires understanding dependencies, adding HEALTHCHECK requires knowing what to probe. Use the "fixed" panel as a starting point, then apply the rest of the suggestions by hand.

Dockerfile Linter

Paste your Dockerfile and see a list of issues (~20 hadolint rules + custom): :latest, MAINTAINER, ADD, missing USER, missing HEALTHCHECK.

LiveRuns in your browser

SamplesClick to load

Dockerfile

Paste your Dockerfile content

11 lines

Errors

Warnings

Info

Issues

DL3007 · line 1
FROM uses :latest tag (node:latest)
Fix: Pin to an explicit version, e.g. `node:20.11-alpine`, or even better, a digest
CUSTOM_DIGEST · line 1
Image node:latest is not pinned by digest
Fix: For maximal reproducibility, pin to a digest: `image:tag@sha256:...`. Trade-off: harder to update
CUSTOM_USER · line 1
Stage (default) never sets USER, will run as root
Fix: Add `USER 65532:65532` (or a named user) toward the end of the build stage
CUSTOM_HEALTH · line 1
Final stage has no HEALTHCHECK
Fix: Add a `HEALTHCHECK CMD ...` so Docker can mark unhealthy containers and other tooling can wait for ready
DL4000 · line 2
MAINTAINER is deprecated since Docker 1.13
Fix: Replace with `LABEL maintainer="name <email>"`
DL3020 · line 3
ADD is used for a local file, use COPY instead
Fix: COPY is preferred for local files. ADD has surprising behavior (auto-extract, URL fetch)
DL3020 · line 4
ADD is used for a local file, use COPY instead
Fix: COPY is preferred for local files. ADD has surprising behavior (auto-extract, URL fetch)
DL3008 · line 6
apt-get install has unpinned versions: curl, wget, git
Fix: Pin versions: `apt-get install -y package=1.2.3`. Build reproducibility depends on this
DL3015 · line 6
apt-get install without --no-install-recommends
Fix: Add `--no-install-recommends` to skip optional dependencies and shrink the image
DL3009 · line 6
apt-get install without cleanup
Fix: Add `&& rm -rf /var/lib/apt/lists/*` at the end of the RUN to delete cached package lists
DL3047 · line 6
wget without --progress (or -q) emits noisy logs
Fix: Use `wget --progress=dot:giga` or `wget -q` to keep the build log clean
DL4001 · line 6
Both wget and curl are used
Fix: Pick one. Mixing both adds an unnecessary package and a few MB to the image
DL3059 · line 6
Multiple consecutive RUN instructions
Fix: Each RUN is a new layer. Merge with `&&` and `\` line continuations to reduce image size
DL3003 · line 7
RUN cd ... is brittle, use WORKDIR
Fix: Each RUN starts a fresh shell. `cd` does not persist across instructions. Use `WORKDIR /path` instead
DL3059 · line 7
Multiple consecutive RUN instructions
Fix: Each RUN is a new layer. Merge with `&&` and `\` line continuations to reduce image size
DL3000 · line 8
WORKDIR uses a relative path (app)
Fix: Use an absolute path, e.g. `WORKDIR /app`
DL3025 · line 10
CMD should use the JSON array form
Fix: Use the exec form: `CMD ["bin", "arg1", "arg2"]`. The shell form (string) forks a /bin/sh that does not forward signals

Best-effort fixed version

Simple substitutions: MAINTAINER -> LABEL, ADD -> COPY. The rest needs hand-edits

FROM node:latest
LABEL maintainer="team@example.com"
COPY package.json .
COPY package-lock.json .
RUN apt-get update
RUN apt-get install -y curl wget git
RUN cd /app && npm install
WORKDIR app
COPY . .
CMD npm run start

All implemented rules

DL3000Use absolute WORKDIR
DL3003Use WORKDIR, not RUN cd ...
DL3007Do not use the :latest tag
DL3008Pin versions in apt-get install
DL3009Delete the apt lists after installing
DL3015Avoid additional packages with --no-install-recommends
DL3018Pin versions in apk add
DL3020Use COPY instead of ADD for local files
DL3025Use JSON array syntax for CMD/ENTRYPOINT
DL3028Pin gem versions
DL3045COPY destination should end with a / when copying to a directory
DL3047wget without --progress emits noisy logs
DL3059Multiple consecutive RUN. Consider merging to reduce layers
DL4000MAINTAINER is deprecated. Use LABEL maintainer instead
DL4001Use either wget or curl, not both
DL4006Set SHELL with -o pipefail before using pipes in RUN
SC2086Quote shell variables to prevent word splitting
CUSTOM_USERContainer runs as root. Set USER to a non-root account
CUSTOM_HEALTHHEALTHCHECK is missing for long-running services
CUSTOM_DIGESTImage is not pinned by digest (@sha256:...) for reproducibility

What this linter does

A Dockerfile that technically builds is not the same as a Dockerfile that should be shipped. The image can have a few hundred MB of leftover apt cache that nobody uses. It can run as root with no HEALTHCHECK, so K8s never knows the container is broken. It can use `:latest` tags that change under your feet. It can use `ADD` where `COPY` would be safer. None of these stop the build, but every one of them causes pain in production.

This linter runs hadolint-style rules in your browser. Paste your Dockerfile and you get a per-line list of issues with rule ID, severity, description, and a fix hint. About 20 rules from the standard hadolint catalog (`DL3000`, `DL3007`, `DL3008`, ...) plus a few custom checks for USER not set, HEALTHCHECK missing, and image not pinned by digest.

Everything runs client-side. No upload, no build, no Docker daemon contact. The output is the same kind of feedback you would get from running `hadolint Dockerfile` locally, only inside the browser tab.

How to use it

Paste your Dockerfile in the input panel, or pick one of the samples at the top to see the output format.
Read the error / warning / info counts at the top right. Click any issue to see the line number and fix hint. Each issue carries a rule ID like `DL3007` that you can search for full hadolint documentation.
Common warnings the linter flags: `:latest` tag (`DL3007`), `apt-get install` without pinned versions (`DL3008`) and **without `rm -rf /var/lib/apt/lists/*` (`DL3009`), `MAINTAINER` which is deprecated (`DL4000`), `ADD` for local files where `COPY` is safer (`DL3020`), `CMD` in shell form instead of JSON exec form (`DL3025`), `RUN cd ...`** instead of `WORKDIR` (`DL3003`).
Security checks: container runs as root when no `USER` is set, `privileged: true`-style patterns, image not pinned by digest, `HEALTHCHECK` missing on the final stage.
Use the "fixed" panel below the issues to see a best-effort rewrite of the simple cases: `MAINTAINER` becomes `LABEL maintainer`, `ADD` becomes `COPY` when the source is local. More complex fixes (pinning versions, adding HEALTHCHECK, splitting RUN) need a human read.
Click Copy on the "fixed" panel to grab the rewritten version, or Copy on the input panel to put the original in your clipboard.
When the linter says "all clean", you have a Dockerfile that follows the well-known best practices. There may still be project-specific things to fix (image size, layer ordering for build cache), but the basics are covered.

When this is useful

Seven concrete situations where Dockerfile linting before `docker build` saves real headaches:

Reviewing a teammate's PR with a new Dockerfile. The linter gives a quick objective list: pin versions, drop `:latest`, add cleanup, add a non-root user. Code review focused on logic, not on every common pitfall.
First-pass cleanup of a legacy Dockerfile. Many old Dockerfiles use `MAINTAINER`, `ADD` for local files, `apt-get install` without cleanup, and a final image two times bigger than it could be. The linter highlights the easy wins.
Optimizing image size. `DL3009` (apt list cleanup) and `DL3015` (`--no-install-recommends`) together can shrink images by 100+ MB. `DL3059` (merge consecutive RUNs) reduces layer count which matters at scale.
Security pass. `CUSTOM_USER` flags every stage that ends up running as root. Combined with `CUSTOM_HEALTH` for the final stage, this is the minimum baseline checks for hardening before shipping.
Pinning versions for reproducibility. `DL3007` (no `:latest`), `DL3008` (apt versions), `DL3018` (apk versions), `DL3028` (gem versions), `CUSTOM_DIGEST` (image by sha256). Together they make builds deterministic.
Teaching juniors what hadolint catches. The rule IDs map 1:1 to the public hadolint catalog so anyone can look them up and learn the reasoning behind each rule.
Quick check in the browser before pushing. `docker build` takes minutes; the linter is instant. Fast feedback loop while iterating on the Dockerfile.

Questions and answers

hadolint is the standard open-source Dockerfile linter written in Haskell. It uses ShellCheck under the hood for shell command analysis inside `RUN`. This tool implements the 20 most common rules with the same rule IDs (so you can search them on the hadolint catalog), runs entirely in the browser, no install needed. For full ShellCheck-quality shell analysis and 60+ rules, install real hadolint locally and use it in CI.

Related tools

Docker Compose Builder

Assemble a docker-compose.yml from sensible presets: WordPress + MySQL, Node + Postgres + Redis, Nginx + PHP-FPM + MariaDB, single Redis, ClickHouse. Every option explained in plain English.

Kubernetes YAML Validator

Paste Kubernetes manifests (multi-doc OK) and get a list of errors + warnings + hints: matchLabels, targetPort, :latest, missing limits, privileged.

GitHub Actions YAML Builder

Build `.github/workflows/ci.yml` by clicking: triggers, jobs, matrices, common actions. Validation and live preview.

GitLab CI YAML Builder

Build `.gitlab-ci.yml` by clicking: stages, jobs, rules, artifacts, cache. Dependency validation and live preview.

.editorconfig Generator

Assemble `.editorconfig` by clicking: charset, end_of_line, indent, trim_trailing_whitespace + per-pattern blocks for *.md, Makefile, *.go. Presets for JS, Python, Go, Polyglot.

Nginx Config Snippet Builder

Assemble a working nginx server-block in five modes: static site, reverse proxy, redirect, subdomain, load balancer. SSL, gzip, WebSockets are one switch each.

FROM node:latest LABEL maintainer="team@example.com" COPY package.json . COPY package-lock.json . RUN apt-get update RUN apt-get install -y curl wget git RUN cd /app && npm install WORKDIR app COPY . . CMD npm run start

What this linter does

How to use it

Paste your Dockerfile in the input panel, or pick one of the samples at the top to see the output format.

Read the error / warning / info counts at the top right. Click any issue to see the line number and fix hint. Each issue carries a rule ID like `DL3007` that you can search for full hadolint documentation.

Common warnings the linter flags: `:latest` tag (`DL3007`), `apt-get install` without pinned versions (`DL3008`) and **without `rm -rf /var/lib/apt/lists/*` (`DL3009`), `MAINTAINER` which is deprecated (`DL4000`), `ADD` for local files where `COPY` is safer (`DL3020`), `CMD` in shell form instead of JSON exec form (`DL3025`), `RUN cd ...`** instead of `WORKDIR` (`DL3003`).

Security checks: container runs as root when no `USER` is set, `privileged: true`-style patterns, image not pinned by digest, `HEALTHCHECK` missing on the final stage.

Use the "fixed" panel below the issues to see a best-effort rewrite of the simple cases: `MAINTAINER` becomes `LABEL maintainer`, `ADD` becomes `COPY` when the source is local. More complex fixes (pinning versions, adding HEALTHCHECK, splitting RUN) need a human read.

Click Copy on the "fixed" panel to grab the rewritten version, or Copy on the input panel to put the original in your clipboard.

When the linter says "all clean", you have a Dockerfile that follows the well-known best practices. There may still be project-specific things to fix (image size, layer ordering for build cache), but the basics are covered.

When this is useful

Seven concrete situations where Dockerfile linting before `docker build` saves real headaches:

Reviewing a teammate's PR with a new Dockerfile. The linter gives a quick objective list: pin versions, drop `:latest`, add cleanup, add a non-root user. Code review focused on logic, not on every common pitfall.
First-pass cleanup of a legacy Dockerfile. Many old Dockerfiles use `MAINTAINER`, `ADD` for local files, `apt-get install` without cleanup, and a final image two times bigger than it could be. The linter highlights the easy wins.
Optimizing image size. `DL3009` (apt list cleanup) and `DL3015` (`--no-install-recommends`) together can shrink images by 100+ MB. `DL3059` (merge consecutive RUNs) reduces layer count which matters at scale.
Security pass. `CUSTOM_USER` flags every stage that ends up running as root. Combined with `CUSTOM_HEALTH` for the final stage, this is the minimum baseline checks for hardening before shipping.
Pinning versions for reproducibility. `DL3007` (no `:latest`), `DL3008` (apt versions), `DL3018` (apk versions), `DL3028` (gem versions), `CUSTOM_DIGEST` (image by sha256). Together they make builds deterministic.
Teaching juniors what hadolint catches. The rule IDs map 1:1 to the public hadolint catalog so anyone can look them up and learn the reasoning behind each rule.
Quick check in the browser before pushing. `docker build` takes minutes; the linter is instant. Fast feedback loop while iterating on the Dockerfile.

Questions and answers