dockerfile.best-practice.prefer-json-notation.prefer-json-notation

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Prefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: prefer-json-notation
    severity: INFO
    languages:
      - dockerfile
    message: Prefer JSON notation when using CMD or ENTRYPOINT. This allows signals
      to be passed from the OS.
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3025
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3025
        - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#cmd
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - patterns:
          - pattern: CMD $WORD ...
          - pattern-not-inside: CMD [...]
      - patterns:
          - pattern: ENTRYPOINT $WORD ...
          - pattern-not-inside: ENTRYPOINT [...]

Examples

prefer-json-notation.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3025

FROM busybox
# ruleid:  prefer-json-notation
ENTRYPOINT s3cmd
# ruleid:  prefer-json-notation
ENTRYPOINT command param1 param2
# ruleid: prefer-json-notation
CMD command
# ruleid: prefer-json-notation
CMD my-service server

# ok: prefer-json-notation
ENTRYPOINT ["s3cmd"]
# ok: prefer-json-notation
ENTRYPOINT ["command", "param1", "param2"]
# ok: prefer-json-notation
CMD ["my-service", "server"]
# ok: prefer-json-notation
CMD ["command"]