Tool integration

Hadolint Integration Guide

Dockerfile linter with security best practices

Get a Free API Key

Integrate Hadolint with Vulnetix. Lint Dockerfiles for security best practices and upload SARIF results.

DockerfileCLI toolSARIF

Install & scan

$ uv run --with hadolint-py hadolint --version
$ uv run --with hadolint-py hadolint -f sarif Dockerfile > hadolint.sarif

Run Hadolint in CI

Scan on every push and upload the results to Vulnetix:

- name: Run Hadolint
  run: |
    pip install hadolint-py
    hadolint -f sarif Dockerfile > hadolint.sarif

- name: Upload to Vulnetix
  run: vulnetix upload --file hadolint.sarif

How Vulnetix compares — better together

Vulnetix does not replace Hadolint. Keep running it. Vulnetix sits on top of Hadolint — and every other scanner you already own — turning disconnected tool outputs into one prioritised, fixable queue.

Hadolint is strongest at its core category and also carries features in IaC & Cloud Configuration, SAST — just like Vulnetix spans categories.

CapabilityVulnetixHadolint
Security coverage
SAST (static code analysis)Built-in rules + Semgrep augmentation~ ShellCheck integration statically analyses shell in RUN blocks
SCA / dependencies40+ ecosystems, transitive graph
DAST (dynamic testing)~ Ingests DAST results; no native dynamic engine
Container & imageImage CVEs, base image, Dockerfile~ Lints Dockerfile source for build-time hardening/best-practice; does NOT scan built images or their package CVEs
IaC / misconfigurationTerraform, k8s, CloudFormation~ Dockerfile is build-infra config; checks misconfig-style rules but only for Dockerfiles, not Terraform/k8s/cloud
Secret scanning1,000+ rules, source + binary + git history
Cloud / CSPMCloud-posture findings, compliance tab
Mobile (MAST)~ Ingests mobile scanner output; no native mobile engine
License complianceSPDX, copyleft/AGPL/SSPL policy
SBOM generationCycloneDX 1.7 + SPDX 2.3, cosign-signable
Malware / supply-chainDe-duplicated corpus + install-time firewall (25+ registries)
Network / infra vuln~ Ingests network scanner output; no native network scanner
FuzzingIngests fuzzing crashes; no native fuzzer
Pentest / bug bountyIngests pentest/bug-bounty findings; not a testing service
The Vulnetix orchestration layer
Cross-scanner dedup & one queue (ASPM)Correlates every scanner into one prioritised queue with ownership routing
Exploit-intel prioritisationEPSS, CISA KEV, Coalition ESS, CWSS, Vulnetix LEV
Reachability analysisTree-sitter + CVEAffected; direct/transitive/semantic
Versioned VEX + audit trailImmutable OpenVEX/CycloneDX, cosign-signable
Safe Harbour autofixResolves + applies the nearest safe version
End-of-life policyFlags/blocks past-EOL runtimes & packages
SSVC / risk-based policySSVC v2 + CISA/FedRAMP/Essential-8 presets

✓ full · ~ partial · ✗ not covered

What Hadolint does well

Where Vulnetix adds to it: Hadolint lints Dockerfile source only; it never scans image layers for CVEs, and has no SCA, secrets, SBOM, malware, dedup, exploit-intel, VEX or SSVC. Vulnetix natively does container image scanning, IaC misconfig, secrets and SBOM (CycloneDX 1.7/SPDX 2.3), and ingests Hadolint's Dockerfile findings into its unified deduped, exploit-prioritised queue — a layer on top of Hadolint's authoritative Dockerfile-authoring checks.

No migration, no rip-and-replace. Hadolint keeps doing what it does best; Vulnetix adds the orchestration, exploit-intelligence prioritisation and remediation layer built for the way AppSec works today.

Centralise Hadolint results in Vulnetix

Upload Hadolint SARIF output to the Vulnetix platform to deduplicate findings, prioritise them with EPSS, CISA KEV and Coalition ESS exploit intelligence, and track remediation across every scanner in a single queue.

Hadolint documentation ↗  ·  Source repository ↗

Wire Hadolint into your CI/CD pipeline →