Integrate Hadolint with Vulnetix. Lint Dockerfiles for security best practices and upload SARIF results.
Install & scan
$ uv run --with hadolint-py hadolint --version $ uv run --with hadolint-py hadolint -f sarif Dockerfile > hadolint.sarif
Run Hadolint in CI
Scan on every push and upload the results to Vulnetix:
- name: Run Hadolint
run: |
pip install hadolint-py
hadolint -f sarif Dockerfile > hadolint.sarif
- name: Upload to Vulnetix
run: vulnetix upload --file hadolint.sarif
How Vulnetix compares — better together
Vulnetix does not replace Hadolint. Keep running it. Vulnetix sits on top of Hadolint — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.
Hadolint is strongest at its core category and also carries features in IaC & Cloud Configuration, SAST — just like Vulnetix spans categories.
| Capability | Vulnetix | Hadolint |
|---|---|---|
| Security coverage | ||
| SAST (static code analysis) | ✓ Built-in rules + Semgrep augmentation | ~ ShellCheck integration statically analyses shell in RUN blocks |
| SCA / dependencies | ✓ 40+ ecosystems, transitive graph | ✗ |
| DAST (dynamic testing) | ~ Ingests DAST results; no native dynamic engine | ✗ |
| Container & image | ✓ Image CVEs, base image, Dockerfile | ~ Lints Dockerfile source for build-time hardening/best-practice; does NOT scan built images or their package CVEs |
| IaC / misconfiguration | ✓ Terraform, k8s, CloudFormation | ~ Dockerfile is build-infra config; checks misconfig-style rules but only for Dockerfiles, not Terraform/k8s/cloud |
| Secret scanning | ✓ 1,000+ rules, source + binary + git history | ✗ |
| Cloud / CSPM | ✓ Cloud-posture findings, compliance tab | ✗ |
| Mobile (MAST) | ~ Ingests mobile scanner output; no native mobile engine | ✗ |
| License compliance | ✓ SPDX, copyleft/AGPL/SSPL policy | ✗ |
| SBOM generation | ✓ CycloneDX 1.7 + SPDX 2.3, cosign-signable | ✗ |
| Malware / supply-chain | ✓ De-duplicated corpus + install-time firewall (25+ registries) | ✗ |
| Network / infra vuln | ~ Ingests network scanner output; no native network scanner | ✗ |
| Fuzzing | ✗ Ingests fuzzing crashes; no native fuzzer | ✗ |
| Pentest / bug bounty | ✗ Ingests pentest/bug-bounty findings; not a testing service | ✗ |
| The Vulnetix orchestration layer | ||
| Cross-scanner dedup & one queue (ASPM) | ✓ Correlates every scanner into one prioritised queue with ownership routing | ✗ |
| Exploit-intel prioritisation | ✓ EPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV | ✗ |
| Reachability analysis | ✓ Tree-sitter + CVEAffected; direct/transitive/semantic | ✗ |
| Versioned VEX + audit trail | ✓ Immutable OpenVEX/CycloneDX, cosign-signable | ✗ |
| Safe Harbour autofix | ✓ Resolves + applies the nearest safe version | ✗ |
| End-of-life policy | ✓ Flags/blocks past-EOL runtimes & packages | ✗ |
| SSVC / risk-based policy | ✓ SSVC v2 + CISA/FedRAMP/Essential-8 presets | ✗ |
✓ full · ~ partial · ✗ not covered
What Hadolint does well
- Best-in-class Dockerfile linter: parses Dockerfiles to an AST and enforces Docker best-practice and hardening rules (avoid root, no sudo, pin package/base-image versions, no latest tag)
- Embeds ShellCheck to lint the shell inside every RUN instruction, catching quoting/injection bugs other Docker tools miss
- Fast, single static binary with SARIF/JSON output and inline-ignore support that fits pre-commit and CI gates
- Zero-config sensible defaults with an easily tunable rule set
Where Vulnetix adds to it: Hadolint lints Dockerfile source only; it never scans image layers for CVEs, and has no SCA, secrets, SBOM, malware, dedup, exploit-intel, VEX or SSVC. Vulnetix natively does container image scanning, IaC misconfig, secrets and SBOM (CycloneDX 1.7/SPDX 2.3), and ingests Hadolint's Dockerfile findings into its unified deduped, exploit-prioritised queue — a layer on top of Hadolint's authoritative Dockerfile-authoring checks.
No migration, no rip-and-replace. Hadolint keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.
Centralise Hadolint results in Vulnetix
Upload Hadolint SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.