Skip to content

Hadolint files #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+8 −0
Open

Hadolint files #18

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions hadolint/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM ubuntu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

❓ Verification inconclusive

Pin the base image for reproducible builds

ubuntu without a tag drifts over time and may break in CI/CD. Pin a specific LTS tag (e.g. ubuntu:22.04) or a digest.

-FROM ubuntu
+FROM ubuntu:22.04

Pin the base image for reproducible builds

Using an untagged base image drifts over time and can break your CI/CD. Pin the Ubuntu LTS release in hadolint/Dockerfile:

• hadolint/Dockerfile:1

-FROM ubuntu
+FROM ubuntu:22.04
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM ubuntu
FROM ubuntu:22.04
🤖 Prompt for AI Agents 
In hadolint/Dockerfile at line 1, the base image is specified as "ubuntu"
without a tag, which can lead to non-reproducible builds. Update the FROM
instruction to pin the base image to a specific Ubuntu LTS release tag, such as
"ubuntu:22.04", to ensure consistent and reproducible builds over time.

MAINTAINER someone@example.com
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Replace deprecated MAINTAINER with LABEL

MAINTAINER is obsolete (DL4000) and triggers Hadolint errors. Switch to a LABEL for forward-compatibility.

-MAINTAINER someone@example.com
+LABEL maintainer="someone@example.com"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
MAINTAINER someone@example.com
# hadolint/Dockerfile
# … other instructions …
LABEL maintainer="someone@example.com"
# … remaining instructions …
🧰 Tools
🪛 Hadolint (2.12.0)

[error] 2-2: MAINTAINER is deprecated

(DL4000)

🤖 Prompt for AI Agents 
In hadolint/Dockerfile at line 2, replace the deprecated MAINTAINER instruction
with a LABEL instruction. Change the line from "MAINTAINER someone@example.com"
to "LABEL maintainer=\"someone@example.com\"" to comply with current Dockerfile
best practices and avoid Hadolint errors.

RUN apt-get update && apt-get install -y python3 pip
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Build will fail: pip package name is wrong and cache isn’t cleaned

  1. The Debian/Ubuntu package is python3-pip, not pip; the current command exits with E: Unable to locate package pip.
  2. Omitting apt-get clean / removing apt lists bloats the image.

Proposed fix:

-RUN apt-get update && apt-get install -y python3 pip
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends python3 python3-pip && \
+    rm -rf /var/lib/apt/lists/*
🤖 Prompt for AI Agents 
In hadolint/Dockerfile at line 3, the package name 'pip' is incorrect and should
be replaced with 'python3-pip' to avoid installation failure. Additionally,
after installing packages, run 'apt-get clean' and remove '/var/lib/apt/lists/*'
to reduce image size by cleaning the apt cache. Update the RUN command to
install 'python3-pip' and include cache cleaning steps.

COPY . /app
WORKDIR /app
RUN chmod 777 /app
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

chmod 777 opens the entire app directory to everyone

World-writable permissions are unnecessary and risky. Prefer a dedicated non-root user with narrow permissions.

-RUN chmod 777 /app
+# optional: create non-root user and adjust perms
+RUN useradd -ms /bin/bash appuser && \
+    chown -R appuser:appuser /app
+USER appuser
🤖 Prompt for AI Agents 
In hadolint/Dockerfile at line 6, replace the insecure 'chmod 777 /app' command
with setting ownership of /app to a dedicated non-root user and assign more
restrictive permissions, such as 755 or 750, to limit access. Create and switch
to this non-root user in the Dockerfile before running the application to
enhance security.

CMD ["python3", "app.py"]