Multiple RUN, ADD, COPY, Instructions Listed
- Query id: 0008c003-79aa-42d8-95b8-1c2fe37dbfe6
- Query name: Multiple RUN, ADD, COPY, Instructions Listed
- Platform: Dockerfile
- Severity: Low
- Category: Best Practices
- CWE: 710
- URL: Github
Description¶
Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - dockerfile file
FROM ubuntu
RUN apt-get install -y wget
RUN wget https://…/downloadedfile.tar
RUN tar xvzf downloadedfile.tar
RUN rm downloadedfile.tar
RUN apt-get remove wget
Positive test num. 2 - dockerfile file
FROM ubuntu
COPY README.md ./
COPY package.json ./
COPY gulpfile.js ./
COPY __BUILD_NUMBER ./
Positive test num. 3 - dockerfile file
FROM ubuntu
ADD cairo.spec /rpmbuild/SOURCES
ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES
ADD cairo-multilib.patch /rpmbuild/SOURCES
Code samples without security vulnerabilities¶
Negative test num. 1 - dockerfile file
FROM ubuntu
RUN apt-get install wget && wget https://…/downloadedfile.tar && tar xvzf downloadedfile.tar && rm downloadedfile.tar && apt-get remove wget
Negative test num. 2 - dockerfile file
FROM ubuntu
COPY README.md package.json gulpfile.js __BUILD_NUMBER ./
Negative test num. 3 - dockerfile file
FROM ubuntu
ADD cairo.spec cairo-1.13.1.tar.xz cairo-multilib.patch /rpmbuild/SOURCES
Negative test num. 4 - dockerfile file
Negative test num. 5 - dockerfile file
FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html
COPY app.go ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
ADD cairo.spec /rpmbuild/SOURCES
ADD cairo-1.13.1.tar.xz /rpmbuild/SOURCES
FROM alpine:latest
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
RUN useradd -ms /bin/bash patrick
USER patrick