Static code analysis of Dockerfiles?

I was wondering if there is any tool support for analyzing the content of Dockerfiles. Syntax checks of course, but also highlighting references to older packages that need to be updated.

I'm using SonarQube for static code analysis for other code but if it does not support it (I could not find any information that it does), is there is any other tool that does this?

Solution

Although this question is 2 years old, however there are two ways to do static analysis of the Dockerfile.

using FromLatest
using Hadolint

Option#2 is mostly preferable since this can be used as an automated process inside CICD pipelines.

Hadolint also provide ways to exclude messages/errors using ".hadolint.yml"

Nginx Reverse proxy to Sonarqube not working. Getting 500 error
SonarQube with shallow clone warning even with shallow disabled on Jenkins build
How to integrate Sonar Quality Gates with Gitlab-CI
SonarQube ignores settings file
SonarQube community edition for commercial project
How to handle TODO comments when sonar error is encountered
JDBC settings not applied when deploying from SonarQube Helm Chart
Test coverage: import statements not covered
Collection-specific "Exists" method should be used instead of the "Any" extension error
What does the "leak period" mean in sonarQube?
Sonarqube and Cucumber features
SonarQube - how to run the code analysis again for a project after creating that project
Issue Migrating SonarQube Database from aws Internal PostgreSQL to AWS RDS PostgreSQL
SonarQube warning: A "NullPointerException" could be thrown; "getBody()" can return null
SonarQube docker container can't start, elasticsearch issue
Exclude configured in pom.xml for jacoco and exclude files in sonar
Cross-module code coverage with jacoco and gradle multi-module project
Unable to start SonarQube, Getting Error in Terminal
CentOS/SwarmPit/Docker/Sonarqube error on startup: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
Why is SonarQube ignoring coverage data by gcovr from C++ files?
Using a parameter's property in an ArgumentException
What is the difference between SonarQube and Checkmarx CxSAST & CxSCA?
SonarLint on Optional.ofNullable: A "NullPointerException" could be thrown
Format thousand separator properly without regex
Handling space in module name sonarqube runner
Sonarqube: Missing blame information for the following files
How to configure multi-module Maven + Sonar + JaCoCo to give merged coverage report?
sonar.host.url not working with sonar-maven-plugin:2.7
sonar-scanner error java.lang.IllegalStateException: Failed to index files, caused by java.nio.file.AccessDeniedException
Forgot sonarqube password. Using it locally, No Database