HEXL
Catalog/security-dockerfile

Security

Dockerfile security & best-practice linter API

Lints PROVIDED Dockerfile text for security and best-practice issues: running as root (no/late USER), :latest or unpinned/undigested base images, ADD of remote URLs, secrets baked into ENV/ARG, curl|bash piping, apt without --no-install-recommends or cache cleanup, sudo usage, EXPOSE 22, and missing HEALTHCHECK, returning findings + severity + line + remediation and a 0-100 score. Answers 'Does this Dockerfile run as root?','Is my base image pinned?'.

Price$0.01per request
MethodPOST
Route/v1/security/dockerfile
StatusLive
MIME typeapplication/json
Rate limit120/minute
CacheNo cache
securitydockerdockerfilelintcontainersupply-chainbest-practicescoring
API URLhttps://x402.hexl.dev/v1/security/dockerfile
Integration docs
Example request
{
  "dockerfile": "FROM ubuntu:latest\nRUN apt-get install -y curl\nRUN curl https://get.example.sh | bash\nCMD [\"./app\"]"
}
Example response
{
  "score": 50,
  "findingsCount": 7,
  "runsAsRoot": true,
  "highestSeverity": "high",
  "findings": [
    {
      "id": "base-latest",
      "severity": "medium",
      "title": "Base image uses :latest (ubuntu:latest)",
      "remediation": "Pin to a specific version or digest (e.g. node:20.11-bookworm or @sha256:...).",
      "line": 1
    },
    {
      "id": "curl-pipe-bash",
      "severity": "high",
      "title": "Pipes a download straight into a shell (curl|bash)",
      "remediation": "Download, verify a checksum/signature, then execute; piping to a shell runs unverified code.",
      "line": 3
    },
    {
      "id": "runs-as-root",
      "severity": "high",
      "title": "No USER directive; container runs as root",
      "remediation": "Add a non-root USER directive before the runtime stage; running as root is risky if the app is compromised."
    },
    {
      "id": "no-healthcheck",
      "severity": "low",
      "title": "No HEALTHCHECK instruction",
      "remediation": "Add a HEALTHCHECK so orchestrators can detect unhealthy containers."
    }
  ]
}
Input schema
{
  "type": "object",
  "required": [
    "dockerfile"
  ],
  "properties": {
    "dockerfile": {
      "type": "string",
      "minLength": 1,
      "description": "Raw Dockerfile text.",
      "examples": [
        "FROM ubuntu:latest\nRUN apt-get install -y curl\nRUN curl https://get.example.sh | bash\nCMD [\"./app\"]"
      ]
    }
  }
}
Output schema
{
  "type": "object",
  "additionalProperties": true
}