dockerfile.best-practice.missing-pip-no-cache-dir.missing-pip-no-cache-dir
semgrepAuthor
unknown
Download Count*
License
This '$PIP install' is missing '--no-cache-dir'. This flag prevents package archives from being kept around, thereby reducing image size. Add '--no-cache-dir'.
Run Locally
Run in CI
Defintion
rules:
- id: missing-pip-no-cache-dir
severity: INFO
languages:
- dockerfile
patterns:
- patterns:
- pattern: |
RUN ... $PIP install ...
- pattern-not-inside: |
RUN ... $PIP install ... --no-cache-dir ...
- pattern-not-inside: |
RUN ... $PIP install . ...
- pattern-not-inside: |
ENV ... PIP_NO_CACHE_DIR=$BOOL ...
...
RUN ... $PIP install ...
- pattern-not-inside: |
ENV ... PIP_NO_CACHE_DIR ...
...
RUN ... $PIP install ...
- metavariable-regex:
metavariable: $PIP
regex: (pip|pip2|pip3|python -m pip|python3 -m pip)
message: This '$PIP install' is missing '--no-cache-dir'. This flag prevents
package archives from being kept around, thereby reducing image size. Add
'--no-cache-dir'.
metadata:
source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3042
references:
- https://github.com/hadolint/hadolint/wiki/DL3042
category: best-practice
technology:
- dockerfile
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
missing-pip-no-cache-dir.dockerfile
FROM python
# ruleid: missing-pip-no-cache-dir
RUN pip install MySQL_python
# ruleid: missing-pip-no-cache-dir
RUN python -m pip install MySQL_python
# ruleid: missing-pip-no-cache-dir
RUN python3 -m pip install MySQL_python
# ruleid: missing-pip-no-cache-dir
RUN pip install MySQL_python semgrep
# ok: missing-pip-no-cache-dir
RUN pip install --no-cache-dir MySQL_python
# ok: missing-pip-no-cache-dir
RUN pip install --no-cache-dir MySQL_python semgrep
# ok: missing-pip-no-cache-dir
RUN pip install .
FROM python:3.7
# ruleid: missing-pip-no-cache-dir
RUN pip3 install MySQL_python
# ruleid: missing-pip-no-cache-dir
RUN pip2 install MySQL_python
# ruleid: missing-pip-no-cache-dir
RUN pip3 install MySQL_python semgrep
# ok: missing-pip-no-cache-dir
RUN pip3 install --no-cache-dir MySQL_python
# ok: missing-pip-no-cache-dir
RUN pip3 install --no-cache-dir MySQL_python semgrep
FROM python:3.7
# ENV SOMETHING=true PIP_NO_CACHE_DIR=true
ENV PIP_NO_CACHE_DIR=true
# ok: missing-pip-no-cache-dir
RUN pip install MySQL_python
FROM python:3.10.1-alpine3.15@sha256:dce56d40d885d2c8847aa2a278a29d50450c8e3d10f9d7ffeb2f38dcc1eb0ea4
LABEL maintainer="support@semgrep.com"
ENV PIP_DISABLE_PIP_VERSION_CHECK=true PIP_NO_CACHE_DIR=true
# ugly: circle CI requires valid git and ssh programs in the container
# when running semgrep on a repository containing submodules
RUN apk add --no-cache git openssh
COPY --from=build-semgrep-core \
/semgrep/semgrep-core/_build/install/default/bin/semgrep-core /usr/local/bin/semgrep-core
RUN semgrep-core -version
COPY semgrep /semgrep
# hadolint ignore=DL3013
RUN SEMGREP_SKIP_BIN=true python -m pip install /semgrep && \
semgrep --version && \
mkdir -p /src && \
chmod 777 /src && \
mkdir -p /tmp/.cache && \
chmod 777 /tmp/.cache
Short Link: https://sg.run/eJYl