Dockerfile Security Basics Checker

Image or service label:

Name the image, service, repository, or build target you are reviewing.

Policy profile:

Choose the baseline that matches how the Dockerfile will be used.

Dockerfile source:

Paste a Dockerfile to check root user posture, base image pins, secret-like ARG/ENV, ADD/COPY risks, package hygiene, and runtime basics.

Review Dockerfile input

{{ error }}

Trusted registries:

Leave broad registries here only when your team already trusts that source for base images.

Finding row limit:

Use a compact value for review screenshots or a larger value for handoff exports.

rows

Force digest pin check:

Digest pins improve reproducibility but may be too strict for early development branches.

Include low signals:

Keep this on for a full basics audit; turn it off for a shorter release handoff.

{{ header }}	Copy
{{ cell }}
No Dockerfile rows available Paste Dockerfile source or load a sample before exporting this table.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Container image security starts earlier than the image scan. A Dockerfile decides which operating system and language runtime enter the build, which files are copied, which commands run during image creation, and which user starts the final process. A short file can still carry release risk when it pulls a moving base tag, copies the whole repository, stores a token in a build variable, or leaves the application running as root.

Static Dockerfile review is valuable because many weak defaults are visible before anyone builds or pushes an image. The review is not trying to prove that every package is safe. It asks whether the build recipe follows basic hardening habits: controlled base images, narrow build context, verified downloads, least-privilege runtime users, predictable commands, and a runtime contract that is clear enough for deployment systems to monitor.

Several Dockerfile terms matter for security decisions. A FROM line starts a build stage and names the base image. A multi-stage Dockerfile may compile in one stage and copy only selected artifacts into the final stage. ARG and ENV can make builds configurable, but secret-like names or values can leak into image history or metadata. ADD and COPY both bring content into the build, while ADD has extra remote-fetch and archive behavior that deserves closer review.

Common Dockerfile security choices and review questions
Dockerfile choice	Why it matters	Review question
`FROM` tag and registry	Base images bring operating system files, package manager behavior, and inherited defaults into every later layer.	Is the base image from an approved source, and is the reference stable enough for this release?
`USER` in the final stage	The final process often runs with the image's default user unless the Dockerfile changes it.	Can the service run as a named non-root user with only the permissions it needs?
Build-time variables and downloads	Tokens, installer scripts, and remote artifacts can persist or change outside the visible application code.	Are secrets passed through secret mounts or runtime injection, and are downloads verified?
Build context and package commands	Broad copies and loose package installs can add private files, extra packages, stale indexes, and cache data.	Does the Dockerfile copy only what it needs and clean package manager state in the same layer?
Runtime command and healthcheck	Commands, exposed ports, and health probes define how operators start and observe the container.	Is the final command explicit, signal-friendly, and matched to a bounded healthcheck when the image runs a service?

Common mistakes usually come from treating containers as a packaging detail instead of a supply-chain boundary. A developer may choose latest for convenience, paste an installer command from a vendor page, or copy the entire project because it builds locally. Those choices can make later rebuilds hard to reproduce and can pull private files, credentials, or unnecessary tools into an image that will run in production.

A clean Dockerfile review is still only a starting point. It cannot confirm that a registry image is patched today, inspect the finished filesystem, verify signatures, test the service, or replace a runtime policy such as Kubernetes security context controls. Use Dockerfile security basics to catch visible recipe problems early, then pair the result with image scanning, provenance checks, CI builds, and deployment controls.

How to Use This Tool:

Review one Dockerfile at a time so the score, line numbers, chart, and remediation rows all describe the same build input.

Enter an Image or service label, such as registry.example.com/orders-api:2.8.0. The label should appear in Policy Snapshot so exports can be tied back to the right pull request or build target.
Choose Policy profile. Use Runtime service for application images, CI builder image for build-only images, and Strict release gate when release inputs should also pressure base-image digest pins.
Paste the Dockerfile into Dockerfile source, browse for a Dockerfile-like text file, drop a file on the textarea, or load one of the samples. The source status line should show line and character counts. A selected file larger than 2 MB is rejected before review.
If Review Dockerfile input appears, fix the input first. Empty text and text with no FROM instruction create critical findings because stages, final user, base image posture, and healthcheck status cannot be anchored.
Open Advanced only when the default review needs adjustment. Add approved hosts in Trusted registries, raise or lower Finding row limit, turn on Force digest pin check, or hide low and info reminders with Include low signals.
Start with Policy Snapshot. Check Risk decision, Risk score, Visible findings, Instructions parsed, Final runtime user, and Runtime healthcheck.
Use Finding Ledger for line-level evidence, Remediation Plan for control-family next actions, Instruction Ledger for parsing context, and Dockerfile Risk Mix Chart when you need to see which risk families dominate the result. A useful handoff has no critical or high rows in the ledger, a non-root Final runtime user for runtime service images, and a Risk decision that matches the release gate you selected.

Interpreting Results:

The first high-impact row matters more than the size of the score. A missing final USER, a weak base tag, a secret-like build variable, world-writable permissions, or an installer script piped to a shell should usually be fixed before release or covered by a narrow, time-limited exception.

Baseline clear means the current Dockerfile text and settings did not match the static basics rules. It does not mean the built image has no vulnerabilities, that the base image digest is trusted, or that the container will run correctly under your orchestrator.

Dockerfile security result cues and follow-up actions
Visible cue	Best reading	Follow-up check
Blocked	The input is empty, lacks a usable `FROM`, or has a critical base-image structure problem.	Fix the Dockerfile text before using the rest of the output for release review.
Needs hardening	A high finding is visible, or the visible score is at least `28`.	Work the Finding Ledger from top to bottom and resolve high rows first.
Review	A medium finding is visible, or the visible score is at least `10`.	Confirm the selected Policy profile, then address digest, package, context, or runtime-surface notes.
Low-signal cleanup	Only low or info reminders remain in the visible finding set.	Decide whether the cleanup should happen now or be tracked as backlog.
Baseline clear	No visible finding matched the current review settings.	Build and scan the image, confirm runtime behavior, and keep base-image refresh automation in place.

Line numbers are review aids. A multi-line instruction is analyzed as one instruction, so a finding on the first line of a continued RUN command may refer to content later in that same command.

Use the chart to spot clusters, not to replace the ledger. For example, several low package-hygiene rows may be less urgent than one high secret finding, but a cluster can still show where a Dockerfile needs cleanup before it becomes a repeated pattern across services.

Technical Details:

Dockerfile review begins with instruction structure. Blank lines and comments are ignored, continued lines ending in a backslash are joined, and each parsed instruction keeps the line where it started. Every FROM begins a stage. The last stage is treated as the final runtime stage for checks such as final USER, WORKDIR, CMD, ENTRYPOINT, and HEALTHCHECK.

The rule set is static and text-based. It does not execute build commands, pull images, query registries, inspect package databases, or read a finished image filesystem. That boundary keeps the review fast and predictable, but it also means a clean result must be followed by build-time and runtime security checks.

Rule Core

The baseline groups findings by control family. Each row below summarizes the visible security idea rather than every internal pattern.

Dockerfile security baseline rule groups
Control family	Signals checked	Typical remediation
Base image	Missing `FROM`, dynamic base image variables, weak or missing tags, required digest pins, and registry hosts outside the trusted list.	Use an approved base image, pin stable versions, add `@sha256` digest pins for release gates, and document registry exceptions.
Runtime user	No final-stage `USER`, final `USER root` or `USER 0`, and `sudo` or `su` inside build commands.	Create or reuse a least-privilege runtime account and switch to it near the end of the final stage.
Secrets	`ARG` and `ENV` names or values that look like tokens, passwords, API keys, private keys, credentials, authentication material, or cloud access keys.	Use BuildKit secret mounts or runtime secret injection instead of persisting sensitive values in image metadata or build history.
Build context	`ADD` for ordinary copies, remote `ADD`, archive auto-extraction, and broad `COPY .` or `ADD .`.	Prefer `COPY` for plain file transfer, narrow copied paths, and keep archive extraction or remote fetches explicit and reviewed.
Package hygiene	Installer pipes, unverified downloads, Debian package installs without cleanup, missing `--no-install-recommends`, broad OS upgrades, missing Alpine or RPM cache cleanup, and cached `pip` installs.	Verify remote artifacts, install only required packages, clean package indexes in the same layer, and rebuild from patched bases instead of broad upgrades.
Runtime surface	Missing final `WORKDIR`, relative workdir paths, missing final command, missing healthcheck when expected, shell-form commands, sensitive exposed ports, and `chmod 777`.	Use absolute workdirs, JSON exec form, bounded healthchecks, narrow permissions, and only expose the application listener.
Build checks	`# check=skip=all`, deprecated `MAINTAINER`, and `ONBUILD` triggers.	Run build checks in CI, replace legacy metadata with labels, and avoid hidden downstream build behavior unless it is documented and tested.

Formula Core

The risk score is the sum of weighted visible findings. Low and info rows count only when Include low signals is on. The visible finding set is sorted by severity weight and line number, then the table is clipped by Finding row limit. The JSON output includes both the visible findings and the full normalized finding list.

Risk score = \sum_{i = 1}^{n} visible finding weight (i)

Dockerfile finding severity weights and decision boundaries
Severity or decision	Boundary	Meaning
Critical finding	`30`	Input or structure is blocked, such as empty Dockerfile text or no `FROM` instruction.
High finding	`16`	Release-impacting issue such as root runtime posture, weak base tag, secret-like build variable, remote `ADD`, installer pipe, sensitive Docker socket exposure, or world-writable permissions.
Medium finding	`7`	Review-required issue such as missing digest under strict rules, broad context copy, unverified download, package-cache problem, sensitive SSH exposure, or hidden build trigger.
Low or info finding	`3` or `1`	Cleanup or syntax reminders that can still matter when several small issues cluster in one Dockerfile.
Blocked	critical > `0`	The input has to be fixed before the review can support a release decision.
Needs hardening	high > `0` or score >= `28`	High-impact findings or a heavy visible score should be resolved before release.
Review	medium > `0` or score >= `10`	The Dockerfile needs policy review even if no high row is visible.
Low-signal cleanup	any visible low or info row	Only lower-priority reminders remain visible under the current settings.
Baseline clear	no visible findings	No static baseline rule matched the current Dockerfile and settings.

Profile Effects

Policy profile changes a small set of expectations. It does not change the parsed Dockerfile text, but it changes how healthchecks, digest pins, and some package hygiene rows are judged.

Dockerfile policy profile effects
Profile	Healthcheck expectation	Digest pin expectation	Package hygiene pressure
Runtime service	Expected in the final stage.	Only when Force digest pin check is on.	Default severity for package cleanup reminders.
CI builder image	Not required.	Only when Force digest pin check is on.	Default severity for package cleanup reminders.
Strict release gate	Expected in the final stage.	Expected for each non-`scratch` base image.	Some package cleanup reminders are raised to medium severity.

Deduplication happens by finding type, line, and evidence text so repeated pattern matches on the same instruction do not inflate the result. Findings that remain are still rule signals, not proof of exploitability. The safest interpretation is to treat them as review prompts tied to visible Dockerfile text.

Responsible Use Note:

Dockerfiles can reveal registry hosts, private repository names, build arguments, package sources, internal ports, and service labels. They can also contain accidental credentials. Paste the smallest useful Dockerfile text when reviewing sensitive projects.

The review runs in the browser session and does not build the image. Pasted text and selected files are read locally by the page, but copied tables, chart images, downloaded files, and JSON output can still contain sensitive details from the Dockerfile and findings.

Do not treat the result as a penetration test, vulnerability scan, or compliance approval. It is a static basics check that should feed a broader container security workflow.

Advanced Tips:

Use Strict release gate for Dockerfiles that feed production images, signed images, or deployment approvals. It adds digest-pin pressure even when the base tag is otherwise specific.
Keep Include low signals on during cleanup work so package-cache reminders, shell-form command notes, and missing healthchecks are visible before they spread across service templates.
Use Trusted registries as a review assumption, not as a blanket approval. Add only registries your team already allows for base images, then document exceptions in the pull request or release ticket.
Raise Finding row limit before exporting a noisy legacy Dockerfile. A low row limit can make the table easier to read, but the full visible ledger is better for remediation planning.
Compare Dockerfile Risk Mix Chart with Remediation Plan. The chart shows where findings cluster, while the remediation rows show which control families need release-blocking fixes first.

Worked Examples:

Risky application image

The risky sample starts from node:latest, sets ARG API_TOKEN=demo, uses ADD . /app, installs packages without the checked cleanup pattern, pipes a remote installer to bash, exposes port 22, and uses shell-form CMD npm start. Under Runtime service, Policy Snapshot reports Risk decision as Needs hardening, Risk score as 104, Visible findings as 12 shown of 12, and Final runtime user as not set. The first high rows point to the weak base tag, missing final user, secret-like build variable, and remote script execution.

Clean runtime sample

The clean sample uses two node:20-bookworm-slim stages, copies dependency and source files with narrower paths, sets USER node, declares a bounded HEALTHCHECK, and uses JSON exec form for CMD. Under Runtime service, Policy Snapshot reports Risk decision as Baseline clear, Risk score as 0, Final runtime user as node, and Runtime healthcheck as present. That result is a good static baseline, but the image should still be built, scanned, and tested.

Strict release gate without digest pins

The same clean sample changes when Policy profile is set to Strict release gate or Force digest pin check is on. The node:20-bookworm-slim tags are specific enough to avoid the weak-tag warning, but each FROM line lacks an @sha256 digest. Policy Snapshot moves to Review, and Finding Ledger adds medium Base image rows asking for release-grade digest pins.

Snippet with no base image

A snippet such as RUN echo hello cannot be reviewed as a complete Dockerfile. The alert shows Review Dockerfile input, and Policy Snapshot reports Risk decision as Blocked because no FROM instruction exists. Add the intended base image first, then read the stage count, instruction ledger, final user, and healthcheck results again.

FAQ:

Why is latest treated as high risk?

A latest base tag can point to different image content over time. The checker reports it as a high Base image finding because a rebuild can change without a Dockerfile change.

Why are secret-like ARG and ENV names flagged?

ARG and ENV values can become visible through image metadata, build history, or provenance. Use BuildKit secret mounts or runtime secret injection for tokens, passwords, private keys, and cloud credentials.

Does Baseline clear mean the image is secure?

No. Baseline clear means the current Dockerfile text and settings did not match the static basics rules. It does not scan packages, verify a registry digest, test runtime behavior, or approve a deployment policy.

Why did a normal ADD instruction create a finding?

ADD can fetch remote content and unpack local archives. If the Dockerfile only needs plain file transfer from the build context, the remediation row asks for COPY instead.

What should I do when the alert says no FROM was found?

Paste a complete Dockerfile or add the intended base image. The checker needs at least one FROM instruction before it can determine stages, final runtime user, healthcheck status, or base-image posture.

Is the Dockerfile uploaded for analysis?

No server-side build or parser is used by this checker. Pasted text and selected files are read in the browser session, while copied and downloaded outputs remain your responsibility to handle safely.

Glossary:

Base image: The image named by FROM that starts a Dockerfile stage.
Build context: The files available to Docker during a build, usually copied with COPY or ADD.
Digest pin: An @sha256 reference that binds a base image line to one exact image digest.
Final stage: The last stage in a multi-stage Dockerfile, treated here as the runtime stage for user, command, workdir, and healthcheck review.
Secret mount: A BuildKit mechanism that exposes a secret during a build step without storing it in the final image metadata.
Shell form: A CMD or ENTRYPOINT written as a string instead of a JSON array, which can affect signal and argument handling.
Trusted registry: A registry host that the review settings treat as approved for base-image provenance reminders.

References:

Building best practices, Docker Docs.
Dockerfile reference, Docker Docs.
SecretsUsedInArgOrEnv, Docker Docs.
Build secrets, Docker Docs.
Docker Security Cheat Sheet, OWASP Cheat Sheet Series.
How to build a multi-stage Docker image, Simplified Guide.