Docker Pre-commit Hooks

Add Dockerfile linting to pre-commit configuration.

Tool: Hadolint

Hadolint is the standard Dockerfile linter. It:

• Validates Dockerfile syntax
• Checks for best practices (DL codes)
• Validates shell commands with ShellCheck (SC codes)

Workflow

1. Check for Dockerfiles

Glob: **/Dockerfile, **/Dockerfile.*, **/*.dockerfile

If no Dockerfiles found, report and exit.

2. Check Existing Pre-commit Config

Glob: .pre-commit-config.yaml

If exists, merge hadolint hook. If not, create minimal config.

3. Add Hadolint Hook

  # Dockerfile linting
  - repo: https://github.com/hadolint/hadolint
    rev: v2.12.0
    hooks:
      - id: hadolint-docker
        args: ["--ignore", "DL3008", "--ignore", "DL3013"]

4. Common Ignores

Code	Rule	When to Ignore
DL3008	Pin apt versions	Dev images where latest is OK
DL3013	Pin pip versions	When using requirements.txt
DL3018	Pin apk versions	Alpine dev images
DL3059	Multiple consecutive RUN	Readability preference

5. Optional: .hadolint.yaml Config

Create project-level config for consistent ignores:

# .hadolint.yaml
ignored:
  - DL3008  # apt-get version pinning
  - DL3013  # pip version pinning

trustedRegistries:
  - docker.io
  - gcr.io
  - ghcr.io

6. Report

Added Docker linting to pre-commit:

Hook: hadolint-docker
Files: Dockerfile, Dockerfile.*, *.dockerfile

Common commands:
  hadolint Dockerfile           # Lint single file
  hadolint --ignore DL3008 ...  # Ignore specific rule

Docs: https://github.com/hadolint/hadolint

Best Practice Rules

Security (critical):

• DL3002: Last USER should not be root
• DL3004: Do not use sudo
• DL4006: Set SHELL with pipefail

Efficiency:

• DL3003: Use WORKDIR instead of cd
• DL3020: Use COPY instead of ADD for files
• DL3025: Use JSON for CMD arguments

Maintainability:

• DL3006: Always tag base image version
• DL3007: Avoid using latest tag