dockerfile.best-practice.missing-dnf-clean-all.missing-dnf-clean-all

semgrep

Author

unknown

Download Count*

License

This dnf command does not end with '&& dnf clean all'. Running 'dnf clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: missing-dnf-clean-all
    severity: WARNING
    languages:
      - dockerfile
    patterns:
      - pattern: RUN ... dnf ...
      - pattern-not-inside: RUN ... && dnf clean all
      - pattern-not-inside: RUN ... && \ dnf clean all
    message: This dnf command does not end with '&& dnf clean all'. Running 'dnf
      clean all' will remove cached data and reduce package size. (This must be
      performed in the same RUN step.)
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3038
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3038
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-dnf-clean-all.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3038

FROM centos

# ok: missing-dnf-clean-all
RUN dnf update \
    && dnf install foo-1.0 \
    && dnf clean all

# ok: missing-dnf-clean-all
RUN dnf update && \
    dnf install foo-1.0 && \
    dnf clean all

# ruleid: missing-dnf-clean-all
RUN dnf install foo-1.0

Short Link: https://sg.run/w460