Dockerfile
Dockerfile Queries List¶
This page contains all queries from Dockerfile.
Query | Severity | Category | Description | Help |
---|---|---|---|---|
UNIX Ports Out Of Range 71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e |
High | Availability | Exposing UNIX ports out of range from 0 to 65535 | Documentation |
WORKDIR Path Not Absolute 6b376af8-cfe8-49ab-a08d-f32de23661a4 |
High | Build Process | For clarity and reliability, you should always use absolute paths for your WORKDIR | Documentation |
Multiple ENTRYPOINT Instructions Listed 6938958b-3f1a-451c-909b-baeee14bdc97 |
High | Build Process | There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect | Documentation |
Copy With More Than Two Arguments Not Ending With Slash 6db6e0c2-32a3-4a2e-93b5-72c35f4119db |
High | Build Process | When a COPY command has more than two arguments, the last one should end with a slash | Documentation |
COPY '--from' References Current FROM Alias cdddb86f-95f6-4fc4-b5a1-483d9afceb2b |
High | Build Process | COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself | Documentation |
Same Alias In Different Froms f2daed12-c802-49cd-afed-fe41d0b82fed |
High | Build Process | Different FROMS cant have the same alias defined | Documentation |
Missing User Instruction fd54f200-402c-4333-a5a4-36ef6709af2f |
High | Build Process | A user should be specified in the dockerfile, otherwise the image will run as root | Documentation |
Run Using Sudo 8ada6e80-0ade-439e-b176-0b28f6bce35a |
High | Insecure Configurations | Avoid RUN with sudo command as it leads to unpredictable behavior | Documentation |
Last User Is 'root' 67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae |
Medium | Best Practices | Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges | Documentation |
Changing Default Shell Using RUN Command 8a301064-c291-4b20-adcb-403fe7fd95fd |
Medium | Best Practices | Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. | Documentation |
Update Instruction Alone 9bae49be-0aa3-4de5-bab2-4c3a069e40cd |
Medium | Build Process | Instruction 'RUN |
Documentation |
Not Using JSON In CMD And ENTRYPOINT Arguments b86987e1-6397-4619-81d5-8807f2387c79 |
Medium | Build Process | Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments | Documentation |
Multiple CMD Instructions Listed 41c195f4-fc31-4a5c-8a1b-90605538d49f |
Medium | Build Process | There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect | Documentation |
RUN Instruction Using 'cd' Instead of WORKDIR f4a6bcd3-e231-4acf-993c-aa027be50d2e |
Medium | Build Process | When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. | Documentation |
Shell Running A Pipe Without Pipefail Flag efbf148a-67e9-42d2-ac47-02fa1c0d0b22 |
Medium | Insecure Defaults | Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). | Documentation |
Gem Install Without Version 22cd11f7-9c6c-4f6e-84c0-02058120b341 |
Medium | Supply-Chain | Instead of 'gem install |
Documentation |
Zypper Install Without Version 562952e4-0348-4dea-9826-44f3a2c6117b |
Medium | Supply-Chain | Not specifying the package version can cause failures due to unanticipated changes in required packages | Documentation |
Image Version Using 'latest' f45ea400-6bbe-4501-9fc7-1c3d75c32067 |
Medium | Supply-Chain | When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag | Documentation |
Missing Version Specification In dnf install 93d88cf7-f078-46a8-8ddc-178e03aeacf1 |
Medium | Supply-Chain | Specifying a package version allows to reduce failures due to unanticipated changes in required packages. | Documentation |
Unpinned Package Version in Pip Install 02d9c71f-3ee8-4986-9c27-1a20d0d19bfc |
Medium | Supply-Chain | Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes | Documentation |
NPM Install Command Without Pinned Version e36d8880-3f78-4546-b9a1-12f0745ca0d5 |
Medium | Supply-Chain | Check if packages installed by npm are pinning a specific version. | Documentation |
Unpinned Package Version in Apk Add d3499f6d-1651-41bb-a9a7-de925fea487b |
Medium | Supply-Chain | Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes | Documentation |
Using Platform Flag with FROM Command b16e8501-ef3c-44e1-a543-a093238099c9 |
Medium | Supply-Chain | Don't use '--platform' flag with FROM | Documentation |
Yum Install Allows Manual Input 6e19193a-8753-436d-8a09-76dcff91bb03 |
Medium | Supply-Chain | Need to use -y to avoid manual input 'yum install -y |
Documentation |
APT-GET Missing '-y' To Avoid Manual Input 77783205-c4ca-4f80-bb80-c777f267c547 |
Medium | Supply-Chain | Check if apt-get calls use the flag -y to avoid user manual input. | Documentation |
Run Using 'wget' and 'curl' fc775e75-fcfb-4c98-b2f2-910c5858b359 |
Medium | Supply-Chain | Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect | Documentation |
Yum install Without Version 6452c424-1d92-4deb-bb18-a03e95d579c4 |
Medium | Supply-Chain | Not specifying the package version can cause failures due to unanticipated changes in required packages | Documentation |
Missing Dnf Clean All 295acb63-9246-4b21-b441-7c1f1fb62dc0 |
Medium | Supply-Chain | Cached package data should be cleaned after installation to reduce image size | Documentation |
Image Version Not Explicit 9efb0b2d-89c9-41a3-91ca-dcc0aec911fd |
Medium | Supply-Chain | Always tag the version of an image explicitly | Documentation |
Apt Get Install Pin Version Not Defined 965a08d7-ef86-4f14-8792-4a3b2098937e |
Medium | Supply-Chain | When installing a package, its pin version should be defined | Documentation |
Missing Zypper Non-interactive Switch 45e1fca5-f90e-465d-825f-c2cb63fa3944 |
Medium | Supply-Chain | Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input | Documentation |
Run Using apt b84a0b47-2e99-4c9f-8933-98bcabe2b94d |
Medium | Supply-Chain | apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache | Documentation |
Yum Clean All Missing 00481784-25aa-4a55-8633-3136dfcf4f37 |
Medium | Supply-Chain | Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size | Documentation |
Add Instead of Copy 9513a694-aa0d-41d8-be61-3271e056f36b |
Medium | Supply-Chain | Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. | Documentation |
Missing Flag From Dnf Install 7ebd323c-31b7-4e5b-b26f-de5e9e477af8 |
Medium | Supply-Chain | The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. | Documentation |
Pip install Keeping Cached Packages f2f903fb-b977-461e-98d7-b3e2185c6118 |
Medium | Supply-Chain | When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller | Documentation |
Missing Zypper Clean 38300d1a-feb2-4a48-936a-d1ef1cd24313 |
Medium | Supply-Chain | Reduce layer and image size by deleting unneeded caches after running zypper | Documentation |
Exposing Port 22 (SSH) 5907595b-5b6d-4142-b173-dbb0e73fbff8 |
Low | Best Practices | Expose only the ports that your application needs and avoid exposing ports like SSH (22) | Documentation |
MAINTAINER Instruction Being Used 99614418-f82b-4852-a9ae-5051402b741c |
Low | Best Practices | The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily | Documentation |
Multiple RUN, ADD, COPY, Instructions Listed 0008c003-79aa-42d8-95b8-1c2fe37dbfe6 |
Low | Best Practices | Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. | Documentation |
Curl or Wget Instead of Add 4b410d24-1cbe-4430-a632-62c9a931cf1c |
Low | Best Practices | Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged | Documentation |
Chown Flag Exists aa93e17f-b6db-4162-9334-c70334e7ac28 |
Low | Best Practices | It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership | Documentation |
Using Unnamed Build Stages 68a51e22-ae5a-4d48-8e87-b01a323605c9 |
Low | Build Process | This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. | Documentation |
Healthcheck Instruction Missing b03a748a-542d-44f4-bb86-9199ab4fd2d5 |
Low | Insecure Configurations | Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working | Documentation |
APT-GET Not Avoiding Additional Packages 7384dfb2-fcd1-4fbf-91cd-6c44c318c33c |
Info | Supply-Chain | Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. | Documentation |
Run Utilities And POSIX Commands 9b6b0f38-92a2-41f9-b881-3a1083d99f1b |
Info | Supply-Chain | Some POSIX commands and interactive utilities shouldn't run inside a Docker Container | Documentation |
Apt Get Install Lists Were Not Deleted df746b39-6564-4fed-bf85-e9c44382303c |
Info | Supply-Chain | After using apt-get install, it is needed to delete apt-get lists | Documentation |
Apk Add Using Local Cache Path ae9c56a6-3ed1-4ac0-9b54-31267f51151d |
Info | Supply-Chain | When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' | Documentation |