dockerfile.best-practice.avoid-apt-get-upgrade.avoid-apt-get-upgrade

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Packages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-apt-get-upgrade
    message: Packages in base containers should be up-to-date, removing the need to
      upgrade or dist-upgrade. If a package is out of date, contact the
      maintainers.
    languages:
      - dockerfile
    severity: WARNING
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3005
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3005
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - pattern: RUN ... apt-get upgrade ...
      - pattern: RUN ... apt-get dist-upgrade ...

Examples

avoid-apt-get-upgrade.dockerfile

FROM debian

# ok: avoid-apt-get-upgrade
RUN apt-get update

# ruleid:avoid-apt-get-upgrade
RUN apt-get update && apt-get upgrade

# ruleid:avoid-apt-get-upgrade
RUN apt-get update && apt-get upgrade -y

# ruleid:avoid-apt-get-upgrade
RUN apt-get update && apt-get dist-upgrade

# ruleid:avoid-apt-get-upgrade
RUN apt-get upgrade