Hadolint Rules¶
Hadolint's Dockerfile linting rules reimplemented by tally, with auto-fix support and enhanced detection where available.
| Rule | Description | Severity | Auto-fix |
|---|---|---|---|
| DL3001 | Command does not make sense in a container | Info | No |
| DL3002 | Last user should not be root | Warning | No |
| DL3003 | Use WORKDIR to switch to a directory | Warning | Yes |
| DL3004 | Do not use sudo | Error | No |
| DL3006 | Always tag the version of an image explicitly | Warning | No |
| DL3007 | Using latest is prone to errors | Warning | No |
| DL3010 | Use ADD for extracting archives into an image | Info | No |
| DL3011 | Valid UNIX ports range from 0 to 65535 | Error | No |
| DL3014 | Use the -y switch (apt-get) | Warning | Yes |
| DL3020 | Use COPY instead of ADD for files and folders | Error | No |
| DL3021 | COPY with more than 2 arguments requires last to end with / | Error | No |
| DL3022 | COPY --from should reference a previously defined FROM alias | Warning | No |
| DL3023 | COPY --from cannot reference its own FROM alias | Error | No |
| DL3026 | Use only an allowed registry in the FROM image | Off | No |
| DL3027 | Do not use apt, use apt-get or apt-cache | Warning | Yes |
| DL3030 | Use the -y switch (yum) | Warning | Yes |
| DL3034 | Non-interactive switch missing from zypper command | Warning | Yes |
| DL3038 | Use the -y switch (dnf) | Warning | Yes |
| DL3043 | ONBUILD, FROM or MAINTAINER in ONBUILD | Error | No |
| DL3045 | COPY to relative destination without WORKDIR | Warning | No |
| DL3046 | useradd without -l and high UID | Warning | Yes |
| DL3047 | wget without --progress | Info | Yes |
| DL3057 | HEALTHCHECK instruction missing | Ignore | No |
| DL3061 | Invalid instruction order | Error | No |
| DL4001 | Either use Wget or Curl but not both | Warning | No |
| DL4005 | Use SHELL to change the default shell | Warning | Yes |
| DL4006 | Set SHELL -o pipefail before RUN with pipe | Warning | Yes |
Superseded rules¶
The following Hadolint rules are covered by equivalent BuildKit or tally rules with improved diagnostics or auto-fix support:
Not implemented¶
Hadolint cache-cleanup rules (DL3009, DL3019, DL3032, DL3036, DL3040, DL3042, DL3060) are intentionally not implemented. Use tally/prefer-package-cache-mounts instead, which suggests BuildKit cache mounts as a modern alternative.
Based on the Hadolint Wiki.