Skip to content


Dockerfile Queries List

This page contains all queries from Dockerfile.

Query Severity Category Description Help
UNIX Ports Out Of Range
High Availability Exposing UNIX ports out of range from 0 to 65535 (read more) Documentation
Copy With More Than Two Arguments Not Ending With Slash
High Build Process When a COPY command has more than two arguments, the last one should end with a slash (read more) Documentation
WORKDIR Path Not Absolute
High Build Process For clarity and reliability, you should always use absolute paths for your WORKDIR (read more) Documentation
Same Alias In Different Froms
High Build Process Different FROMS cant have the same alias defined (read more) Documentation
Missing User Instruction
High Build Process A user should be specified in the dockerfile, otherwise the image will run as root (read more) Documentation
COPY '--from' References Current FROM Alias
High Build Process COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself (read more) Documentation
Multiple ENTRYPOINT Instructions Listed
High Build Process There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect (read more) Documentation
Run Using Sudo
High Insecure Configurations Avoid RUN with sudo command as it leads to unpredictable behavior (read more) Documentation
Vulnerable OpenSSL Version
High Supply-Chain OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability (read more) Documentation
Changing Default Shell Using RUN Command
Medium Best Practices Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. (read more) Documentation
Last User Is 'root'
Medium Best Practices Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges (read more) Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments
Medium Build Process Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments (read more) Documentation
Multiple CMD Instructions Listed
Medium Build Process There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect (read more) Documentation
Update Instruction Alone
Medium Build Process Instruction 'RUN update' should always be followed by ' install' in the same RUN statement (read more) Documentation
RUN Instruction Using 'cd' Instead of WORKDIR
Medium Build Process When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. (read more) Documentation
Shell Running A Pipe Without Pipefail Flag
Medium Insecure Defaults Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). (read more) Documentation
Run Using apt
Medium Supply-Chain apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache (read more) Documentation
Missing Zypper Non-interactive Switch
Medium Supply-Chain Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input (read more) Documentation
NPM Install Command Without Pinned Version
Medium Supply-Chain Check if packages installed by npm are pinning a specific version. (read more) Documentation
APT-GET Missing '-y' To Avoid Manual Input
Medium Supply-Chain Check if apt-get calls use the flag -y to avoid user manual input. (read more) Documentation
Pip install Keeping Cached Packages
Medium Supply-Chain When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller (read more) Documentation
Add Instead of Copy
Medium Supply-Chain Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. (read more) Documentation
Unpinned Package Version in Pip Install
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more) Documentation
Using Platform Flag with FROM Command
Medium Supply-Chain Don't use '--platform' flag with FROM (read more) Documentation
Missing Flag From Dnf Install
Medium Supply-Chain The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. (read more) Documentation
Missing Zypper Clean
Medium Supply-Chain Reduce layer and image size by deleting unneeded caches after running zypper (read more) Documentation
Yum Install Allows Manual Input
Medium Supply-Chain Need to use -y to avoid manual input 'yum install -y ' (read more) Documentation
Missing Version Specification In dnf install
Medium Supply-Chain Specifying a package version allows to reduce failures due to unanticipated changes in required packages. (read more) Documentation
Image Version Not Explicit
Medium Supply-Chain Always tag the version of an image explicitly (read more) Documentation
Zypper Install Without Version
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages (read more) Documentation
Gem Install Without Version
Medium Supply-Chain Instead of 'gem install ' we should use 'gem install :' (read more) Documentation
Yum install Without Version
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages (read more) Documentation
Unpinned Package Version in Apk Add
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes (read more) Documentation
Run Using 'wget' and 'curl'
Medium Supply-Chain Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect (read more) Documentation
Yum Clean All Missing
Medium Supply-Chain Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size (read more) Documentation
Apt Get Install Pin Version Not Defined
Medium Supply-Chain When installing a package, its pin version should be defined (read more) Documentation
Missing Dnf Clean All
Medium Supply-Chain Cached package data should be cleaned after installation to reduce image size (read more) Documentation
Image Version Using 'latest'
Medium Supply-Chain When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag (read more) Documentation
Chown Flag Exists
Low Best Practices It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership (read more) Documentation
Multiple RUN, ADD, COPY, Instructions Listed
Low Best Practices Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. (read more) Documentation
Curl or Wget Instead of Add
Low Best Practices Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged (read more) Documentation
MAINTAINER Instruction Being Used
Low Best Practices The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily (read more) Documentation
Exposing Port 22 (SSH)
Low Best Practices Expose only the ports that your application needs and avoid exposing ports like SSH (22) (read more) Documentation
Using Unnamed Build Stages
Low Build Process This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. (read more) Documentation
Healthcheck Instruction Missing
Low Insecure Configurations Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working (read more) Documentation
Apk Add Using Local Cache Path
Info Supply-Chain When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' (read more) Documentation
Run Utilities And POSIX Commands
Info Supply-Chain Some POSIX commands and interactive utilities shouldn't run inside a Docker Container (read more) Documentation
APT-GET Not Avoiding Additional Packages
Info Supply-Chain Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. (read more) Documentation
Apt Get Install Lists Were Not Deleted
Info Supply-Chain After using apt-get install, it is needed to delete apt-get lists (read more) Documentation