Hadolint analyzes Dockerfiles and reports common mistakes, unsafe patterns, portability issues, and maintainability problems.
It combines Dockerfile-specific rules with ShellCheck analysis for shell commands used inside RUN instructions.
Hadolint is installed through Homebrew:
brew install hadolintIt is part of the curated Homebrew environment; see Homebrew setup to install everything at once.
Check that Hadolint is available:
hadolint --versionRun Hadolint against a Dockerfile with:
hadolint Dockerfile
A Dockerfile with a different name can also be analyzed:
hadolint path/to/Dockerfile.devTo analyze all Dockerfiles tracked by Git:
git ls-files -z \
| grep -zE '(^|/)(Dockerfile|Dockerfile\.[^/]+)$' \
| xargs -0 -r hadolintHadolint findings include a rule identifier such as DL3008 or SC2086.
The DL prefix identifies Dockerfile-specific rules.
The SC prefix identifies ShellCheck rules applied to shell commands inside Dockerfile instructions.
Warnings should normally be corrected instead of ignored.
A specific rule can be ignored for the following instruction:
# hadolint ignore=DL3008
RUN apt-get update && apt-get install -y curlExclusions should remain narrow and should only be added when the rule is not appropriate for the specific case.
Global exclusions should be avoided because they can hide future problems.
Hadolint can be configured with a .hadolint.yaml file at the repository root.
A configuration file should only be added when the project has concrete requirements that cannot be handled cleanly through the default rules.
The default configuration is preferred until such requirements appear.
Hadolint should eventually be integrated into pre-commit when Dockerfiles are present in the repository.
Homebrew manages the executable, while pre-commit will define which Dockerfiles are analyzed and when the checks run.
Until then, validation can be executed manually with:
hadolint DockerfileRemove Hadolint with:
brew uninstall hadolintThen remove its entry from profiles/full/Brewfile.
Any related pre-commit hook or Hadolint configuration must also be removed separately.