Skip to content

Dockerfile

Dockerfile Queries List

This page contains all queries from Dockerfile.

Query Severity Category Description Help
UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e
High Availability Exposing UNIX ports out of range from 0 to 65535 Documentation
Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f
High Build Process A user should be specified in the dockerfile, otherwise the image will run as root Documentation
COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b
High Build Process COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself Documentation
Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed
High Build Process Different FROMS cant have the same alias defined Documentation
Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97
High Build Process There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect Documentation
WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4
High Build Process For clarity and reliability, you should always use absolute paths for your WORKDIR Documentation
Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db
High Build Process When a COPY command has more than two arguments, the last one should end with a slash Documentation
Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a
High Insecure Configurations Avoid RUN with sudo command as it leads to unpredictable behavior Documentation
Run Using dnf Update
09fda05e-da85-4ee7-ab8d-2800a5e6e756
High Supply-Chain Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages Documentation
Yum Update Enabled
8f6456be-0018-46db-9ce6-b3b6dc8d34d2
High Supply-Chain Yum update is being used Documentation
Use of Apk Upgrade
989ab888-7d1e-410f-9dde-c64a1d367bf2
High Supply-Chain Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container Documentation
Run Using Upgrade Commands
682fe378-c180-4bd5-8a14-95fc285fb269
High Supply-Chain Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used Documentation
Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae
Medium Best Practices Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79
Medium Build Process Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments Documentation
RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e
Medium Build Process Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain. Documentation
Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f
Medium Build Process There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect Documentation
Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd
Medium Build Process Instruction 'RUN update' should always be followed by ' install' in the same RUN statement Documentation
COPY '--from' Without FROM Alias Defined Previously
68a51e22-ae5a-4d48-8e87-b01a323605c9
Medium Build Process COPY command with the flag '--from' should mention a previously defined FROM alias Documentation
Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22
Medium Insecure Defaults Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). Documentation
Changing Default Shell Using SHELL Command
8a301064-c291-4b20-adcb-403fe7fd95fd
Medium Insecure Defaults Using the command SHELL to override the default shell instead of the RUN command Documentation
Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd
Medium Supply-Chain Always tag the version of an image explicitly Documentation
Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067
Medium Supply-Chain When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag Documentation
APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547
Medium Supply-Chain Check if apt-get calls use the flag -y to avoid user manual input. Documentation
Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0
Medium Supply-Chain Cached package data should be cleaned after installation to reduce image size Documentation
Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8
Medium Supply-Chain The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. Documentation
Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118
Medium Supply-Chain When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller Documentation
Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9
Medium Supply-Chain Don't use '--platform' flag with FROM Documentation
Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37
Medium Supply-Chain Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size Documentation
Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944
Medium Supply-Chain Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input Documentation
Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03
Medium Supply-Chain Need to use -y to avoid manual input 'yum install -y ' Documentation
Run Using Zypper Update
d4895357-dd49-4ba5-b726-1bb81cb50989
Medium Supply-Chain 'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers Documentation
Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341
Medium Supply-Chain Instead of 'gem install ' we should use 'gem install :' Documentation
Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313
Medium Supply-Chain Reduce layer and image size by deleting unneeded caches after running zypper Documentation
NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5
Medium Supply-Chain Check if packages installed by npm are pinning a specific version. Documentation
Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d
Medium Supply-Chain apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache Documentation
Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e
Medium Supply-Chain When installing a package, its pin version should be defined Documentation
Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1
Medium Supply-Chain Specifying a package version allows to reduce failures due to unanticipated changes in required packages. Documentation
Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359
Medium Supply-Chain Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect Documentation
Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6
Low Best Practices Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers. Documentation
Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28
Low Best Practices If the user only needs execution permissions on the file and not ownership, don't use --chown option Documentation
Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c
Low Best Practices Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged Documentation
Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8
Low Best Practices Expose only the ports that your application needs and avoid exposing ports like SSH (22) Documentation
MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c
Low Best Practices The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily Documentation
Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b
Low Build Process Should use COPY instead of ADD unless, running a tar file Documentation
Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5
Low Insecure Configurations Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working Documentation
Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b
Info Supply-Chain Some POSIX commands and interactive utilities shouldn't run inside a Docker Container Documentation
Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d
Info Supply-Chain When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' Documentation
APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c
Info Supply-Chain Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. Documentation
Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c
Info Supply-Chain After using apt-get install, it is needed to delete apt-get lists Documentation