Skip to content

Dockerfile

Dockerfile Queries List

This page contains all queries from Dockerfile.

Query Severity Category Description Help
UNIX Ports Out Of Range
71bf8cf8-f0a1-42fa-b9d2-d10525e0a38e
High Availability Exposing UNIX ports out of range from 0 to 65535 (read more) Documentation
WORKDIR Path Not Absolute
6b376af8-cfe8-49ab-a08d-f32de23661a4
High Build Process For clarity and reliability, you should always use absolute paths for your WORKDIR (read more) Documentation
COPY '--from' References Current FROM Alias
cdddb86f-95f6-4fc4-b5a1-483d9afceb2b
High Build Process COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more) Documentation
Copy With More Than Two Arguments Not Ending With Slash
6db6e0c2-32a3-4a2e-93b5-72c35f4119db
High Build Process When a COPY command has more than two arguments, the last one should end with a slash (read more) Documentation
Same Alias In Different Froms
f2daed12-c802-49cd-afed-fe41d0b82fed
High Build Process Different FROMS cant have the same alias defined (read more) Documentation
Multiple ENTRYPOINT Instructions Listed
6938958b-3f1a-451c-909b-baeee14bdc97
High Build Process There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more) Documentation
Missing User Instruction
fd54f200-402c-4333-a5a4-36ef6709af2f
High Build Process A user should be specified in the dockerfile, otherwise the image will run as root (read more) Documentation
Run Using Sudo
8ada6e80-0ade-439e-b176-0b28f6bce35a
High Insecure Configurations Avoid RUN with sudo command as it leads to unpredictable behavior (read more) Documentation
Vulnerable OpenSSL Version
5fa731ea-e844-47a6-a1e8-abc25e95847e
High Supply-Chain OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more) Documentation
Changing Default Shell Using RUN Command
8a301064-c291-4b20-adcb-403fe7fd95fd
Medium Best Practices Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more) Documentation
Last User Is 'root'
67fd0c4a-68cf-46d7-8c41-bc9fba7e40ae
Medium Best Practices Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more) Documentation
Multiple CMD Instructions Listed
41c195f4-fc31-4a5c-8a1b-90605538d49f
Medium Build Process There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more) Documentation
Update Instruction Alone
9bae49be-0aa3-4de5-bab2-4c3a069e40cd
Medium Build Process Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more) Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments
b86987e1-6397-4619-81d5-8807f2387c79
Medium Build Process Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more) Documentation
RUN Instruction Using 'cd' Instead of WORKDIR
f4a6bcd3-e231-4acf-993c-aa027be50d2e
Medium Build Process When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more) Documentation
Shell Running A Pipe Without Pipefail Flag
efbf148a-67e9-42d2-ac47-02fa1c0d0b22
Medium Insecure Defaults Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more) Documentation
Apt Get Install Pin Version Not Defined
965a08d7-ef86-4f14-8792-4a3b2098937e
Medium Supply-Chain When installing a package, its pin version should be defined (read more) Documentation
Missing Zypper Clean
38300d1a-feb2-4a48-936a-d1ef1cd24313
Medium Supply-Chain Reduce layer and image size by deleting unneeded caches after running zypper (read more) Documentation
APT-GET Missing '-y' To Avoid Manual Input
77783205-c4ca-4f80-bb80-c777f267c547
Medium Supply-Chain Check if apt-get calls use the flag -y to avoid user manual input. (read more) Documentation
Image Version Using 'latest'
f45ea400-6bbe-4501-9fc7-1c3d75c32067
Medium Supply-Chain When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more) Documentation
Run Using apt
b84a0b47-2e99-4c9f-8933-98bcabe2b94d
Medium Supply-Chain apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more) Documentation
Unpinned Package Version in Apk Add
d3499f6d-1651-41bb-a9a7-de925fea487b
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more) Documentation
Missing Version Specification In dnf install
93d88cf7-f078-46a8-8ddc-178e03aeacf1
Medium Supply-Chain Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more) Documentation
Using Platform Flag with FROM Command
b16e8501-ef3c-44e1-a543-a093238099c9
Medium Supply-Chain Don't use '--platform' flag with FROM (read more) Documentation
Missing Zypper Non-interactive Switch
45e1fca5-f90e-465d-825f-c2cb63fa3944
Medium Supply-Chain Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more) Documentation
NPM Install Command Without Pinned Version
e36d8880-3f78-4546-b9a1-12f0745ca0d5
Medium Supply-Chain Check if packages installed by npm are pinning a specific version. (read more) Documentation
Add Instead of Copy
9513a694-aa0d-41d8-be61-3271e056f36b
Medium Supply-Chain Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more) Documentation
Yum Clean All Missing
00481784-25aa-4a55-8633-3136dfcf4f37
Medium Supply-Chain Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more) Documentation
Pip install Keeping Cached Packages
f2f903fb-b977-461e-98d7-b3e2185c6118
Medium Supply-Chain When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more) Documentation
Unpinned Package Version in Pip Install
02d9c71f-3ee8-4986-9c27-1a20d0d19bfc
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more) Documentation
Missing Dnf Clean All
295acb63-9246-4b21-b441-7c1f1fb62dc0
Medium Supply-Chain Cached package data should be cleaned after installation to reduce image size (read more) Documentation
Yum install Without Version
6452c424-1d92-4deb-bb18-a03e95d579c4
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages (read more) Documentation
Missing Flag From Dnf Install
7ebd323c-31b7-4e5b-b26f-de5e9e477af8
Medium Supply-Chain The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more) Documentation
Gem Install Without Version
22cd11f7-9c6c-4f6e-84c0-02058120b341
Medium Supply-Chain Instead of 'gem install ' we should use 'gem install :' (read more) Documentation
Image Version Not Explicit
9efb0b2d-89c9-41a3-91ca-dcc0aec911fd
Medium Supply-Chain Always tag the version of an image explicitly (read more) Documentation
Run Using 'wget' and 'curl'
fc775e75-fcfb-4c98-b2f2-910c5858b359
Medium Supply-Chain Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more) Documentation
Yum Install Allows Manual Input
6e19193a-8753-436d-8a09-76dcff91bb03
Medium Supply-Chain Need to use -y to avoid manual input 'yum install -y ' (read more) Documentation
Zypper Install Without Version
562952e4-0348-4dea-9826-44f3a2c6117b
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages (read more) Documentation
Chown Flag Exists
aa93e17f-b6db-4162-9334-c70334e7ac28
Low Best Practices It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more) Documentation
Exposing Port 22 (SSH)
5907595b-5b6d-4142-b173-dbb0e73fbff8
Low Best Practices Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more) Documentation
Curl or Wget Instead of Add
4b410d24-1cbe-4430-a632-62c9a931cf1c
Low Best Practices Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more) Documentation
Multiple RUN, ADD, COPY, Instructions Listed
0008c003-79aa-42d8-95b8-1c2fe37dbfe6
Low Best Practices Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more) Documentation
MAINTAINER Instruction Being Used
99614418-f82b-4852-a9ae-5051402b741c
Low Best Practices The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more) Documentation
Using Unnamed Build Stages
68a51e22-ae5a-4d48-8e87-b01a323605c9
Low Build Process This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more) Documentation
Healthcheck Instruction Missing
b03a748a-542d-44f4-bb86-9199ab4fd2d5
Low Insecure Configurations Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more) Documentation
Apk Add Using Local Cache Path
ae9c56a6-3ed1-4ac0-9b54-31267f51151d
Info Supply-Chain When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more) Documentation
Apt Get Install Lists Were Not Deleted
df746b39-6564-4fed-bf85-e9c44382303c
Info Supply-Chain After using apt-get install, it is needed to delete apt-get lists (read more) Documentation
Run Utilities And POSIX Commands
9b6b0f38-92a2-41f9-b881-3a1083d99f1b
Info Supply-Chain Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more) Documentation
APT-GET Not Avoiding Additional Packages
7384dfb2-fcd1-4fbf-91cd-6c44c318c33c
Info Supply-Chain Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more) Documentation