Skip to content


Dockerfile Queries List

This page contains all queries from Dockerfile.

Query Severity Category Description Help
UNIX Ports Out Of Range
High Availability Exposing UNIX ports out of range from 0 to 65535 Documentation
COPY '--from' References Current FROM Alias
High Build Process COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself Documentation
Copy With More Than Two Arguments Not Ending With Slash
High Build Process When a COPY command has more than two arguments, the last one should end with a slash Documentation
Multiple ENTRYPOINT Instructions Listed
High Build Process There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect Documentation
Same Alias In Different Froms
High Build Process Different FROMS cant have the same alias defined Documentation
Missing User Instruction
High Build Process A user should be specified in the dockerfile, otherwise the image will run as root Documentation
WORKDIR Path Not Absolute
High Build Process For clarity and reliability, you should always use absolute paths for your WORKDIR Documentation
Run Using Sudo
High Insecure Configurations Avoid RUN with sudo command as it leads to unpredictable behavior Documentation
Vulnerable OpenSSL Version
High Supply-Chain OpenSSL versions from 3.0.0 to 3.0.5 are affected by a critical vulnerability Documentation
Last User Is 'root'
Medium Best Practices Leaving the last user as root can cause security risks. Change to another user after running the commands the need privileges Documentation
Changing Default Shell Using RUN Command
Medium Best Practices Using the command RUN to override the default shell instead of the SHELL command leads to inefficiencies. It also does not make sense since Docker provides the SHELL command for this exact purpose. Documentation
Update Instruction Alone
Medium Build Process Instruction 'RUN update' should always be followed by ' install' in the same RUN statement Documentation
RUN Instruction Using 'cd' Instead of WORKDIR
Medium Build Process When using RUN command 'cd' should only be used for full path. For relative path make use of WORKDIR command instead. Documentation
Multiple CMD Instructions Listed
Medium Build Process There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect Documentation
Not Using JSON In CMD And ENTRYPOINT Arguments
Medium Build Process Ensure that we are using JSON in the CMD and ENTRYPOINT Arguments Documentation
Shell Running A Pipe Without Pipefail Flag
Medium Insecure Defaults Check if shell commands with pipes (except Powershell) have the pipefail flag set (-o). Documentation
APT-GET Missing '-y' To Avoid Manual Input
Medium Supply-Chain Check if apt-get calls use the flag -y to avoid user manual input. Documentation
Add Instead of Copy
Medium Supply-Chain Using ADD to load external installation scripts could lead to an evil web server leveraging this and loading a malicious script. Documentation
Unpinned Package Version in Apk Add
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Missing Flag From Dnf Install
Medium Supply-Chain The '-y' or '--assumeyes' flag should be added when invoking dnf install. If omitted, it can cause the command to fail during the build process, because dnf would expect manual input. Documentation
Yum Clean All Missing
Medium Supply-Chain Need to use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size Documentation
Pip install Keeping Cached Packages
Medium Supply-Chain When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller Documentation
NPM Install Command Without Pinned Version
Medium Supply-Chain Check if packages installed by npm are pinning a specific version. Documentation
Image Version Not Explicit
Medium Supply-Chain Always tag the version of an image explicitly Documentation
Missing Zypper Non-interactive Switch
Medium Supply-Chain Omitting the non-interactive switch causes the command to fail during the build process, because zypper would expect manual input Documentation
Zypper Install Without Version
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Apt Get Install Pin Version Not Defined
Medium Supply-Chain When installing a package, its pin version should be defined Documentation
Yum install Without Version
Medium Supply-Chain Not specifying the package version can cause failures due to unanticipated changes in required packages Documentation
Missing Dnf Clean All
Medium Supply-Chain Cached package data should be cleaned after installation to reduce image size Documentation
Unpinned Package Version in Pip Install
Medium Supply-Chain Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes Documentation
Run Using apt
Medium Supply-Chain apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache Documentation
Using Platform Flag with FROM Command
Medium Supply-Chain Don't use '--platform' flag with FROM Documentation
Missing Zypper Clean
Medium Supply-Chain Reduce layer and image size by deleting unneeded caches after running zypper Documentation
Run Using 'wget' and 'curl'
Medium Supply-Chain Shouldn't use both 'wget' and 'curl' since they are two tools that have the same effect Documentation
Image Version Using 'latest'
Medium Supply-Chain When building images, always tag them with useful tags which codify version information, intended destination (prod or test, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-created latest tag Documentation
Missing Version Specification In dnf install
Medium Supply-Chain Specifying a package version allows to reduce failures due to unanticipated changes in required packages. Documentation
Yum Install Allows Manual Input
Medium Supply-Chain Need to use -y to avoid manual input 'yum install -y ' Documentation
Gem Install Without Version
Medium Supply-Chain Instead of 'gem install ' we should use 'gem install :' Documentation
Chown Flag Exists
Low Best Practices It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only execution permissions are required on the file, not ownership Documentation
MAINTAINER Instruction Being Used
Low Best Practices The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you should use it instead, as it enables setting any metadata you require, and can be viewed easily Documentation
Exposing Port 22 (SSH)
Low Best Practices Expose only the ports that your application needs and avoid exposing ports like SSH (22) Documentation
Curl or Wget Instead of Add
Low Best Practices Use of Curl or Wget should be done instead of Add to fetch packages from remote URLs due to the use of Add being strongly discouraged Documentation
Multiple RUN, ADD, COPY, Instructions Listed
Low Best Practices Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. Documentation
Using Unnamed Build Stages
Low Build Process This query is used to ensure that build stages are named. This way even if the Dockerfile is re-ordered, the COPY instruction doesn’t break. Documentation
Healthcheck Instruction Missing
Low Insecure Configurations Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working Documentation
APT-GET Not Avoiding Additional Packages
Info Supply-Chain Check if any apt-get installs don't use '--no-install-recommends' flag to avoid installing additional packages. Documentation
Apk Add Using Local Cache Path
Info Supply-Chain When installing packages, use the '--no-cache' switch to avoid the need to use '--update' and remove '/var/cache/apk/*' Documentation
Run Utilities And POSIX Commands
Info Supply-Chain Some POSIX commands and interactive utilities shouldn't run inside a Docker Container Documentation
Apt Get Install Lists Were Not Deleted
Info Supply-Chain After using apt-get install, it is needed to delete apt-get lists Documentation