Development

Dockerfile Analyzer

Analyze Dockerfiles, inspect build stages and detect common image issues.

Dockerfile input

Paste a Dockerfile to inspect stages, instructions and common build issues.

Analyze a Dockerfile

Paste a Dockerfile and select Analyze Dockerfile to inspect its stages, instructions and common issues.

Dockerfiles are analyzed locally inside your browser. Findings are heuristic and should be reviewed before changing a production image.

About this tool

What is Dockerfile Analyzer?

Dockerfile Analyzer inspects Dockerfile instructions and build stages while detecting common reproducibility, security and image-size issues. Review base images, package installation commands, copied files, runtime users and potentially sensitive configuration.

Features

Built for fast developer workflows

  • Parse single-stage and multistage Dockerfiles.
  • Inspect each build stage and its instructions.
  • Detect base images without explicit tags.
  • Warn when a base image uses the mutable latest tag.
  • Detect potential secrets in ENV and ARG instructions.
  • Detect APT package lists that are not removed.
  • Highlight consecutive RUN instructions.
  • Suggest COPY when ADD is unnecessary.
  • Warn about broad COPY . . instructions.
  • Detect stages without a WORKDIR.
  • Warn when the final stage does not select a non-root user.
  • Extract ports, variables, build arguments, volumes and runtime commands.
  • Filter findings by severity and search their contents.
  • Analyze every Dockerfile locally inside your browser.

Frequently asked questions

Questions about Dockerfile Analyzer

Does Dockerfile Analyzer build the image?

No. It only parses and analyzes the Dockerfile source and never runs Docker.

Are these findings guaranteed to be problems?

No. The analyzer uses heuristic rules. Every finding should be reviewed in the context of the application and base image.

Why should I avoid the latest tag?

The latest tag is mutable, so identical Dockerfiles can resolve to different base image contents at different times.

Why use a non-root user?

A non-root runtime user can reduce the impact of a compromised process when the application does not require elevated privileges.

Why remove APT package lists?

Removing cached package metadata after installation can reduce the size of Debian- and Ubuntu-based images.

Does the tool upload my Dockerfile?

No. Parsing, stage detection and issue analysis happen locally inside your browser.

Related tools