dockerfile.best-practice.nonsensical-command.nonsensical-command

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

Some commands such as $CMD do not make sense in a container. Do not use these.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: nonsensical-command
    patterns:
      - pattern: RUN $CMD ...
      - metavariable-regex:
          metavariable: $CMD
          regex: (shutdown|service|ps|free|top|kill|mount|ifconfig|nano|vim)
    message: Some commands such as `$CMD` do not make sense in a container. Do not
      use these.
    severity: WARNING
    languages:
      - dockerfile
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3001
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3001
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

nonsensical-command.dockerfile

FROM busybox

# ruleid: nonsensical-command
RUN top

# ruleid: nonsensical-command
RUN kill 1234

# ruleid: nonsensical-command
RUN ifconfig

# ruleid: nonsensical-command
RUN ps -ef

# ruleid: nonsensical-command
RUN vim /var/log/www/error.log

# ok: nonsensical-command
RUN git clone https://github.com/returntocorp/semgrep

# ok: nonsensical-command
RUN pip3 install semgrep

# ok: nonsensical-command
RUN semgrep -f p/xss

Short Link: https://sg.run/ZP5n