How to Lint a Dockerfile for Best Practices
Use the Dockerfile Linter to find common mistakes — unpinned base images, running as root, missing cache cleanup, and poor layer ordering.
Tool Used
Dockerfile Linter
Paste your Dockerfile
Open the Dockerfile Linter tool. Paste the contents of your Dockerfile into the input panel. The linter accepts any valid Dockerfile syntax including FROM, RUN, COPY, ADD, ENV, EXPOSE, USER, WORKDIR, CMD, ENTRYPOINT, HEALTHCHECK, and ARG instructions. Multi-stage Dockerfiles with multiple FROM instructions are supported.
Click Lint and review the findings
Click Lint. The tool analyzes your Dockerfile and lists findings grouped by severity: errors (will cause build failure or serious security issues), warnings (best practice violations that increase image size or reduce security), and info (suggestions for improvement). Each finding shows the line number, a description of the issue, and a specific suggestion.
Fix base image pinning
One of the most common findings is an unpinned base image tag. Replace FROM node:latest with a specific version like FROM node:20.11.0-alpine3.19. Check the official image registry for the current stable version of your base image. Using a specific version ensures reproducible builds and prevents silent breakage when latest changes.
Consolidate RUN instructions and clean up caches
Each RUN instruction creates a new image layer. Combine multiple apt-get or apk commands into a single RUN using &&. Always clean up the package manager cache in the same RUN instruction: RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*. Cleaning in a separate RUN instruction does not reduce image size because the cache is committed in the previous layer.
Add a non-root user and fix layer order
Add a non-root user before the CMD or ENTRYPOINT: RUN addgroup --system app && adduser --system --group app followed by USER app. For layer cache efficiency, copy dependency manifest files first, install dependencies, then copy source code: COPY package*.json ./ then RUN npm ci then COPY . . This way, source code changes do not invalidate the cached dependency layer. Re-lint after making changes to confirm all findings are resolved.
All done!
You are ready to use Dockerfile Linter like a pro.