Dockerfile Queries List¶
This page contains all queries from Dockerfile.
Query | Severity | Category | Description | Help |
---|---|---|---|---|
UNIX Ports Out Of Range 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e |
High | Availability | Exposing UNIX ports out of range from 0 to 65535 | Documentation |
Copy With More Than Two Arguments Not Ending With Slash 6db6e0c2-32a3-4a2e-93b5-72c35f4119db |
High | Build Process | When a COPY command has more than two arguments, the last one should end with a slash | Documentation |
Same Alias In Different Froms f2daed12-c802-49cd-afed-fe41d0b82fed |
High | Build Process | Different FROMS cant have the same alias defined | Documentation |
COPY '--from' References Current FROM Alias cdddb86f-95f6-4fc4-b5a1-483d9afceb2b |
High | Build Process | COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself | Documentation |
Missing User Instruction fd54f200-402c-4333-a5a4-36ef6709af2f |
High | Build Process | A user should be specified in the dockerfile, otherwise the image will run as root | Documentation |
Multiple ENTRYPOINT Instructions Listed 6938958b-3f1a-451c-909b-baeee14bdc97 |
High | Build Process | There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect | Documentation |
WORKDIR Path Not Absolute 6b376af8-cfe8-49ab-a08d-f32de23661a4 |
High | Build Process | For clarity and reliability, you should always use absolute paths for your WORKDIR | Documentation |
Run Using Sudo 8ada6e80-0ade-439e-b176-0b28f6bce35a |
High | Insecure Configurations | Avoid RUN with sudo command as it leads to unpredictable behavior | Documentation |
Use of Apk Upgrade 989ab888-7d1e-410f-9dde-c64a1d367bf2 |
High | Supply-Chain | Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container | Documentation |
Yum Update Enabled 8f6456be-0018-46db-9ce6-b3b6dc8d34d2 |
High | Supply-Chain | Yum update is being used | Documentation |
Run Using Upgrade Commands 682fe378-c180-4bd5-8a14-95fc285fb269 |
High | Supply-Chain | Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used | Documentation |
Run Using dnf Update 09fda05e-da85-4ee7-ab8d-2800a5e6e756 |
High | Supply-Chain | Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages | Documentation |
Last User Is 'root' 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae |
Medium | Best Practices | Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges | Documentation |
COPY '--from' Without FROM Alias Defined Previously 68a51e22-ae5a-4d48-8e87-b01a323605c9 |
Medium | Build Process | COPY command with the flag '--from' should mention a previously defined FROM alias | Documentation |
Update Instruction Alone 9bae49be-0aa3-4de5-bab2-4c3a069e40cd |
Medium | Build Process | Instruction 'RUN |
Documentation |
Not Using JSON In CMD And ENTRYPOINT Arguments b86987e1-6397-4619-81d5-8807f2387c79 |
Medium | Build Process | Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments | Documentation |
RUN Instruction Using 'cd' Instead of WORKDIR f4a6bcd3-e231-4acf-993c-aa027be50d2e |
Medium | Build Process | Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain. | Documentation |
Multiple CMD Instructions Listed 41c195f4-fc31-4a5c-8a1b-90605538d49f |
Medium | Build Process | There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect | Documentation |
Changing Default Shell Using SHELL Command 8a301064-c291-4b20-adcb-403fe7fd95fd |
Medium | Insecure Defaults | Using the command SHELL to override the default shell instead of the RUN command | Documentation |
Shell Running A Pipe Without Pipefail Flag efbf148a-67e9-42d2-ac47-02fa1c0d0b22 |
Medium | Insecure Defaults | Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). | Documentation |
Secrets Stored In Dockerfile c3e1b6ae-d92c-44b3-8ed5-1f5442bab6a4 |
Medium | Secret Management | Scan Dockerfile to ensure that there are no secrets stored | Documentation |
Run Using apt b84a0b47-2e99-4c9f-8933-98bcabe2b94d |
Medium | Supply-Chain | apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache | Documentation |
Missing Zypper Non-interactive Switch 45e1fca5-f90e-465d-825f-c2cb63fa3944 |
Medium | Supply-Chain | Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input | Documentation |
Pip install Keeping Cached Packages f2f903fb-b977-461e-98d7-b3e2185c6118 |
Medium | Supply-Chain | When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller | Documentation |
Using Platform Flag with FROM Command b16e8501-ef3c-44e1-a543-a093238099c9 |
Medium | Supply-Chain | Don't use '--platform' flag with FROM | Documentation |
Image Version Using 'latest' f45ea400-6bbe-4501-9fc7-1c3d75c32067 |
Medium | Supply-Chain | When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag | Documentation |
Run Using Zypper Update d4895357-dd49-4ba5-b726-1bb81cb50989 |
Medium | Supply-Chain | 'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers | Documentation |
Gem Install Without Version 22cd11f7-9c6c-4f6e-84c0-02058120b341 |
Medium | Supply-Chain | Instead of 'gem install |
Documentation |
Missing Zypper Clean 38300d1a-feb2-4a48-936a-d1ef1cd24313 |
Medium | Supply-Chain | Reduce layer and image size by deleting unneeded caches after running zypper | Documentation |
Yum Install Allows Manual Input 6e19193a-8753-436d-8a09-76dcff91bb03 |
Medium | Supply-Chain | Need to use -y to avoid manual input 'yum install -y |
Documentation |
Run Using 'wget' and 'curl' fc775e75-fcfb-4c98-b2f2-910c5858b359 |
Medium | Supply-Chain | Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect | Documentation |
Unpinned Package Version in Apk Add d3499f6d-1651-41bb-a9a7-de925fea487b |
Medium | Supply-Chain | Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes | Documentation |
Yum Clean All Missing 00481784-25aa-4a55-8633-3136dfcf4f37 |
Medium | Supply-Chain | Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size | Documentation |
Missing Dnf Clean All 295acb63-9246-4b21-b441-7c1f1fb62dc0 |
Medium | Supply-Chain | Cached package data should be cleaned after installation to reduce image size | Documentation |
Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e |
Medium | Supply-Chain | When installing a package, its pin version should be defined | Documentation |
APT-GET Missing '-y' To Avoid Manual Input 77783205-c4ca-4f80-bb80-c777f267c547 |
Medium | Supply-Chain | Check if apt-get calls use the flag -y to avoid user manual input. | Documentation |
Unpinned Package Version in Pip Install 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc |
Medium | Supply-Chain | Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes | Documentation |
Missing Flag From Dnf Install 7ebd323c-31b7-4e5b-b26f-de5e9e477af8 |
Medium | Supply-Chain | The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. | Documentation |
Image Version Not Explicit 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd |
Medium | Supply-Chain | Always tag the version of an image explicitly | Documentation |
NPM Install Command Without Pinned Version e36d8880-3f78-4546-b9a1-12f0745ca0d5 |
Medium | Supply-Chain | Check if packages installed by npm are pinning a specific version. | Documentation |
Zypper Install Without Version 562952e4-0348-4dea-9826-44f3a2c6117b |
Medium | Supply-Chain | Not specifying the package version can cause failures due to unanticipated changes in required packages | Documentation |
Yum install Without Version 6452c424-1d92-4deb-bb18-a03e95d579c4 |
Medium | Supply-Chain | Not specifying the package version can cause failures due to unanticipated changes in required packages | Documentation |
Missing Version Specification In dnf install 93d88cf7-f078-46a8-8ddc-178e03aeacf1 |
Medium | Supply-Chain | Specifying a package version allows to reduce failures due to unanticipated changes in required packages. | Documentation |
Chown Flag Exists aa93e17f-b6db-4162-9334-c70334e7ac28 |
Low | Best Practices | If the user only needs execution permissions on the file and not ownership, don't use --chown option | Documentation |
Exposing Port 22 (SSH) 5907595b-5b6d-4142-b173-dbb0e73fbff8 |
Low | Best Practices | Expose only the ports that your application needs and avoid exposing ports like SSH (22) | Documentation |
MAINTAINER Instruction Being Used 99614418-f82b-4852-a9ae-5051402b741c |
Low | Best Practices | The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily | Documentation |
Curl or Wget Instead of Add 4b410d24-1cbe-4430-a632-62c9a931cf1c |
Low | Best Practices | Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged | Documentation |
Multiple RUN, ADD, COPY, Instructions Listed 0008c003-79aa-42d8-95b8-1c2fe37dbfe6 |
Low | Best Practices | Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers. | Documentation |
Add Instead of Copy 9513a694-aa0d-41d8-be61-3271e056f36b |
Low | Build Process | Should use COPY instead of ADD unless, running a tar file | Documentation |
Healthcheck Instruction Missing b03a748a-542d-44f4-bb86-9199ab4fd2d5 |
Low | Insecure Configurations | Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working | Documentation |
Apt Get Install Lists Were Not Deleted df746b39-6564-4fed-bf85-e9c44382303c |
Info | Supply-Chain | After using apt-get install, it is needed to delete apt-get lists | Documentation |
Run Utilities And POSIX Commands 9b6b0f38-92a2-41f9-b881-3a1083d99f1b |
Info | Supply-Chain | Some POSIX commands and interactive utilities shouldn't run inside a Docker Container | Documentation |
APT-GET Not Avoiding Additional Packages 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c |
Info | Supply-Chain | Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. | Documentation |
Apk Add Using Local Cache Path ae9c56a6-3ed1-4ac0-9b54-31267f51151d |
Info | Supply-Chain | When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' | Documentation |