dockerfile.best-practice.missing-zypper-clean.missing-zypper-clean

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

This zypper command does not end with '&& zypper clean'. Running 'zypper clean' will remove cached data and reduce package size. (This must be performed in the same RUN step.)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-zypper-clean
    severity: WARNING
    languages:
      - dockerfile
    patterns:
      - pattern: RUN ... zypper $COMMAND ...
      - pattern-not-inside: RUN ... zypper clean
      - pattern-not-inside: RUN ... zypper clean
    message: This zypper command does not end with '&& zypper clean'. Running
      'zypper clean' will remove cached data and reduce package size. (This must
      be performed in the same RUN step.)
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3036
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3036
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-zypper-clean.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3036

FROM opensuse/leap:15.2
# ruleid: missing-zypper-clean
RUN zypper install -y httpd=2.4.46
# ok: missing-zypper-clean
RUN zypper install -y httpd=2.4.46 && zypper clean
# ok: missing-zypper-clean
RUN zypper install -y httpd=2.4.46 && \
  zypper clean