Skip to content


Dockerfile Queries List

This page contains all queries from Dockerfile.

Query Severity Category Description Help
UNIX Ports Out Of Range
High Availability Exposing UNIX ports out of range from 0 to 65535 Documentation
COPY '--from' References Current FROM Alias
High Build Process COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself Documentation
Multiple ENTRYPOINT Instructions Listed
High Build Process There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect Documentation
WORKDIR Path Not Absolute
High Build Process For clarity and reliability, you should always use absolute paths for your WORKDIR Documentation
Missing User Instruction
High Build Process A user should be specified in the dockerfile, otherwise the image will run as root Documentation
Copy With More Than Two Arguments Not Ending With Slash
High Build Process When a COPY command has more than two arguments, the last one should end with a slash Documentation
Same Alias In Different Froms
High Build Process Different FROMS cant have the same alias defined Documentation
Run Using Sudo
High Insecure Configurations Avoid RUN with sudo command as it leads to unpredictable behavior Documentation
Run Using Upgrade Commands
High Supply-Chain Commands 'apt-get upgrade' and 'apt-get dist-upgrade' should not be used Documentation
Run Using dnf Update
High Supply-Chain Command 'dnf update' should not be used, as it can cause inconsistencies between builds and fails in updated packages Documentation
Use of Apk Upgrade
High Supply-Chain Avoid usage of apk upgrade because some packages from the parent image cannot be upgraded inside an unprivileged container Documentation
Yum Update Enabled
High Supply-Chain Yum update is being used Documentation
Last User Is 'root'
Medium Best Practices Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges Documentation
COPY '--from' Without FROM Alias Defined Previously
Medium Build Process COPY command with the flag '--from' should mention a previously defined FROM alias Documentation
Update Instruction Alone
Medium Build Process Instruction 'RUN update' should always be followed by ' install' in the same RUN statement Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments
Medium Build Process Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments Documentation
Multiple CMD Instructions Listed
Medium Build Process There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect Documentation
RUN Instruction Using 'cd' Instead of WORKDIR
Medium Build Process Use WORKDIR instead of proliferating instructions like RUN cd … && do-something, which are hard to read, troubleshoot, and maintain. Documentation
Changing Default Shell Using SHELL Command
Medium Insecure Defaults Using the command SHELL to override the default shell instead of the RUN command Documentation
Shell Running A Pipe Without Pipefail Flag
Medium Insecure Defaults Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). Documentation
Using Platform Flag with FROM Command
Medium Supply-Chain Don't use '--platform' flag with FROM Documentation
Missing Version Specification In dnf install
Medium Supply-Chain Specifying a package version allows to reduce failures due to unanticipated changes in required packages. Documentation
Missing Flag From Dnf Install
Medium Supply-Chain The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. Documentation
Run Using Zypper Update
Medium Supply-Chain 'zypper update' should not be used. Can cause inconsistencies between builds, producing problems for application developers Documentation
Yum Install Allows Manual Input
Medium Supply-Chain Need to use -y to avoid manual input 'yum install -y ' Documentation
Yum install Without Version
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Image Version Not Explicit
Medium Supply-Chain Always tag the version of an image explicitly Documentation
Image Version Using 'latest'
Medium Supply-Chain When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag Documentation
Missing Dnf Clean All
Medium Supply-Chain Cached package data should be cleaned after installation to reduce image size Documentation
NPM Install Command Without Pinned Version
Medium Supply-Chain Check if packages installed by npm are pinning a specific version. Documentation
Unpinned Package Version in Apk Add
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
APT-GET Missing '-y' To Avoid Manual Input
Medium Supply-Chain Check if apt-get calls use the flag -y to avoid user manual input. Documentation
Yum Clean All Missing
Medium Supply-Chain Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size Documentation
Pip install Keeping Cached Packages
Medium Supply-Chain When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller Documentation
Apt Get Install Pin Version Not Defined
Medium Supply-Chain When installing a package, its pin version should be defined Documentation
Unpinned Package Version in Pip Install
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Run Using 'wget' and 'curl'
Medium Supply-Chain Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect Documentation
Missing Zypper Non-interactive Switch
Medium Supply-Chain Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input Documentation
Gem Install Without Version
Medium Supply-Chain Instead of 'gem install ' we should use 'gem install :' Documentation
Missing Zypper Clean
Medium Supply-Chain Reduce layer and image size by deleting unneeded caches after running zypper Documentation
Run Using apt
Medium Supply-Chain apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache Documentation
Zypper Install Without Version
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Curl or Wget Instead of Add
Low Best Practices Use Curl or Wget instead of Add to fetch packages from remote URLs, because using Add is strongly discouraged Documentation
Chown Flag Exists
Low Best Practices If the user only needs execution permissions on the file and not ownership, don't use --chown option Documentation
Multiple RUN, ADD, COPY, Instructions Listed
Low Best Practices Multiple commands (RUN, Copy, And) should be grouped in order to reduce the number of layers. Documentation
Exposing Port 22 (SSH)
Low Best Practices Expose only the ports that your application needs and avoid exposing ports like SSH (22) Documentation
MAINTAINER Instruction Being Used
Low Best Practices The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily Documentation
Add Instead of Copy
Low Build Process Should use COPY instead of ADD unless, running a tar file Documentation
Healthcheck Instruction Missing
Low Insecure Configurations Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working Documentation
Apt Get Install Lists Were Not Deleted
Info Supply-Chain After using apt-get install, it is needed to delete apt-get lists Documentation
Apk Add Using Local Cache Path
Info Supply-Chain When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' Documentation
Run Utilities And POSIX Commands
Info Supply-Chain Some POSIX commands and interactive utilities shouldn't run inside a Docker Container Documentation
APT-GET Not Avoiding Additional Packages
Info Supply-Chain Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. Documentation