🐳

Dockerfile Security & Optimization Audit

Q: What does DockerAudit check for?

DockerAudit runs 17 static analysis rules covering security (root user, leaked secrets, unverified downloads), optimization (bloated images, bad layer caching), and best practices (healthchecks, exec form CMD, pinned versions).

Q: How is this different from hadolint?

Hadolint requires installation and CLI usage. DockerAudit is web-based for quick one-off checks — perfect for code reviews and auditing vendor Dockerfiles.

Q: What's included in the free scan vs paid?

Free scan includes full audit with all 17 rules. The $1.99 upgrade uses GPT-4o to rewrite your entire Dockerfile with every issue fixed.

Paste or upload your Dockerfile. Get instant security findings, optimization tips, and a letter grade. 17 static analysis rules — not an AI wrapper.

Free audit • AI-fixed Dockerfile: $1.99

How It Works

📄

1. Paste or Upload

Drop your Dockerfile in. Supports any valid Dockerfile syntax including multi-stage builds.

🔬

2. Static Analysis

17 rules check for security issues, optimization gaps, and Docker best practices. No AI involved.

🛠️

3. Get Fixes

Free: detailed findings with fix instructions. $1.99: AI rewrites your entire Dockerfile with all fixes applied.

🔐

Security First

Catches root user, leaked secrets, unverified downloads, and missing healthchecks.

⚡

Instant Results

Pure static analysis — no cloud builds, no registry access needed. Results in under a second.

📦

Image Optimization

Detects bloated base images, cache-busting layer order, missing cleanup, and multi-stage opportunities.

What We Check

CRITICAL

Running as root user • Secrets in ENV/ARG instructions

HIGH

Unpinned base images • Multiple CMD/ENTRYPOINT • Downloads without checksums

MEDIUM

No HEALTHCHECK • ADD vs COPY • Bad layer ordering • Bloated base images

LOW / INFO

Missing EXPOSE • Shell form CMD • pip cache • No multi-stage builds

Frequently Asked Questions

What does DockerAudit check for?

DockerAudit runs 17 static analysis rules against your Dockerfile covering security (root user, leaked secrets, unverified downloads), optimization (bloated images, bad layer caching, missing cleanup), and best practices (healthchecks, exec form CMD, pinned versions). No AI is involved in the scan — it's deterministic rule-based analysis.

Is my Dockerfile stored or shared?

No. Your Dockerfile is processed in memory and discarded immediately after the scan. We don't store, log, or share any uploaded content. The analysis happens server-side for accuracy but nothing persists.

How is this different from hadolint?

Hadolint is excellent but requires installation and CLI usage. DockerAudit is a web-based alternative for quick one-off checks — perfect for code reviews, auditing vendor Dockerfiles, or checking files on machines where you can't install tools. The paid tier also generates an AI-fixed version of your Dockerfile.

What's included in the free scan vs paid?

The free scan gives you the full audit: all 17 rules, severity ratings, line numbers, descriptions, and fix instructions. The $1.99 upgrade uses GPT-4o to rewrite your entire Dockerfile with every issue fixed — ready to copy-paste into your project.

Does it support multi-stage Dockerfiles?

Yes. DockerAudit fully parses multi-stage builds with multiple FROM instructions, AS aliases, and cross-stage references. It also checks if a single-stage build could benefit from multi-stage architecture.

What ecosystems are supported?

DockerAudit works with any valid Dockerfile regardless of the application ecosystem — Python, Node.js, Go, Rust, Java, Ruby, PHP, and more. Rules are Dockerfile-specific, not language-specific.