dockerfile.best-practice.avoid-platform-with-from.avoid-platform-with-from

semgrep

Author

unknown

Download Count*

License

Using '--platform' with FROM restricts the image to build on a single platform. Further, this must be the same as the build platform. If you intended to specify the target platform, use the utility 'docker buildx --platform=' instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: avoid-platform-with-from
    severity: INFO
    languages:
      - dockerfile
    pattern: FROM --platform=$PLATFORM $IMAGE
    message: Using '--platform' with FROM restricts the image to build on a single
      platform. Further, this must be the same as the build platform. If you
      intended to specify the target platform, use the utility 'docker buildx
      --platform=' instead.
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3029
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3029
        - https://docs.docker.com/buildx/working-with-buildx/
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

avoid-platform-with-from.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3029

# ruleid: avoid-platform-with-from
FROM --platform=x86 busybox

# ruleid: avoid-platform-with-from
FROM --platform=x86 busybox:1.34

# ruleid: avoid-platform-with-from
FROM --platform=x86 busybox AS bb

# ruleid: avoid-platform-with-from
FROM --platform=x86 busybox:1.34 AS bb

# ok: avoid-platform-with-from
FROM busybox

# ok: avoid-platform-with-from
FROM busybox:1.34

# ok: avoid-platform-with-from
FROM busybox AS bb

# ok: avoid-platform-with-from
FROM busybox:1.34 AS bb

Short Link: https://sg.run/93G4