dockerfile.best-practice.use-workdir.use-workdir

semgrep

Author

unknown

Download Count*

License

As recommended by Docker's documentation, it is best to use 'WORKDIR' instead of 'RUN cd ...' for improved clarity and reliability. Also, 'RUN cd ...' may not work as expected in a container.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: use-workdir
    options:
      implicit_deep_exprstmt: false
    patterns:
      - pattern-either:
          - pattern-inside: |
              RUN $ CMD ...
          - pattern-inside: |
              RUN $CMD ... && ...
      - metavariable-pattern:
          metavariable: $CMD
          pattern: cd
      - focus-metavariable: $CMD
    message: As recommended by Docker's documentation, it is best to use 'WORKDIR'
      instead of 'RUN cd ...' for improved clarity and reliability. Also, 'RUN
      cd ...' may not work as expected in a container.
    severity: WARNING
    languages:
      - dockerfile
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3003
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3003
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

use-workdir.dockerfile

FROM busybox

# ruleid: use-workdir
RUN cd semgrep && git clone https://github.com/returntocorp/semgrep

# ok: use-workdir
RUN pip3 install semgrep && cd ..

# ok: use-workdir
RUN semgrep -f p/xss

# ok: use-workdir
RUN blah

# ok: use-workdir
RUN blah blahcd

Short Link: https://sg.run/4kXE