How to Run Hadolint on a Dockerfile in CI
hadolint parses a Dockerfile and reports rule violations such as unpinned apt packages or use of latest tags.
Run hadolint/hadolint-action against the Dockerfile. Set failure-threshold to control which severity fails the build, and ignore specific rules with a .hadolint.yaml when a finding does not apply.
Steps
- Add a
hadolint/hadolint-actionstep with thedockerfilepath. - Set
failure-threshold(e.g.warning) to decide what fails the job. - Optionally add
.hadolint.yamlto ignore rules that do not apply.
Workflow
.github/workflows/docker.yml
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
failure-threshold: warningGotchas
- DL3008 (pin apt versions) and DL3059 are common first findings; fix or explicitly ignore them.
- Run hadolint as its own fast job so a lint failure does not block an in-progress image build.
Related guides
How to Build With a BuildKit Secret Mount in CIPass a private token to a Docker build in CI without baking it into a layer, using RUN --mount=type=secret an…
How to Pin a Docker Base Image by Digest in CIMake Docker builds reproducible in CI by pinning the FROM base image to an immutable sha256 digest instead of…