dockerfile.best-practice.use-shell-instruction.use-shell-instruction

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Use the SHELL instruction to set the default shell instead of overwriting '/bin/sh'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-shell-instruction
    severity: WARNING
    languages:
      - dockerfile
    pattern: |
      RUN ln ... $SHELL /bin/sh
    message: Use the SHELL instruction to set the default shell instead of
      overwriting '/bin/sh'.
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4005
      references:
        - https://github.com/hadolint/hadolint/wiki/DL4005
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    fix: SHELL ["$SHELL", "-c"]

Examples

use-shell-instruction.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL4005

FROM busybox

# Install bash
RUN apk add --update-cache bash=4.3.42-r3

# Use bash as the default shell
# ruleid: use-shell-instruction
RUN ln -sfv /bin/bash /bin/sh

# ruleid: use-shell-instruction
RUN ln -sfv /bin/zsh /bin/sh

# ok: use-shell-instruction
SHELL ["/bin/bash", "-c"]