dockerfile.best-practice.avoid-apk-upgrade.avoid-apk-upgrade

semgrep

Author

unknown

Download Count*

License

Packages in base images should be up-to-date, removing the need for 'apk upgrade'. If packages are out-of-date, consider contacting the base image maintainer.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: avoid-apk-upgrade
    languages:
      - dockerfile
    message: Packages in base images should be up-to-date, removing the need for
      'apk upgrade'. If packages are out-of-date, consider contacting the base
      image maintainer.
    severity: INFO
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3017
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3017
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern: RUN ... apk upgrade ...

Examples

avoid-apk-upgrade.dockerfile

FROM alpine:3.7

# ruleid: avoid-apk-upgrade
RUN apk update \
    && apk upgrade \
    && apk add foo=1.0 \
    && rm -rf /var/cache/apk/*

# ruleid: avoid-apk-upgrade
RUN apk upgrade

# ruleid: avoid-apk-upgrade
RUN apk upgrade -y

# ok: avoid-apk-upgrade
RUN apk --no-cache add foo=1.0

Short Link: https://sg.run/2kg5