Skip to content
Latchkey

How to Run Hadolint on a Dockerfile in CI

hadolint parses a Dockerfile and reports rule violations such as unpinned apt packages or use of latest tags.

Run hadolint/hadolint-action against the Dockerfile. Set failure-threshold to control which severity fails the build, and ignore specific rules with a .hadolint.yaml when a finding does not apply.

Steps

  • Add a hadolint/hadolint-action step with the dockerfile path.
  • Set failure-threshold (e.g. warning) to decide what fails the job.
  • Optionally add .hadolint.yaml to ignore rules that do not apply.

Workflow

.github/workflows/docker.yml
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Dockerfile
          failure-threshold: warning

Gotchas

  • DL3008 (pin apt versions) and DL3059 are common first findings; fix or explicitly ignore them.
  • Run hadolint as its own fast job so a lint failure does not block an in-progress image build.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →