dockerfile.best-practice.use-workdir.use-workdir
semgrep
Author
unknown
Download Count*
License
As recommended by Docker's documentation, it is best to use 'WORKDIR' instead of 'RUN cd ...' for improved clarity and reliability. Also, 'RUN cd ...' may not work as expected in a container.
Run Locally
Run in CI
Defintion
rules:
- id: use-workdir
options:
implicit_deep_exprstmt: false
patterns:
- pattern-either:
- pattern-inside: |
RUN $ CMD ...
- pattern-inside: |
RUN $CMD ... && ...
- metavariable-pattern:
metavariable: $CMD
pattern: cd
- focus-metavariable: $CMD
message: As recommended by Docker's documentation, it is best to use 'WORKDIR'
instead of 'RUN cd ...' for improved clarity and reliability. Also, 'RUN
cd ...' may not work as expected in a container.
severity: WARNING
languages:
- dockerfile
metadata:
source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3003
references:
- https://github.com/hadolint/hadolint/wiki/DL3003
category: best-practice
technology:
- dockerfile
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
use-workdir.dockerfile
FROM busybox
# ruleid: use-workdir
RUN cd semgrep && git clone https://github.com/returntocorp/semgrep
# ok: use-workdir
RUN pip3 install semgrep && cd ..
# ok: use-workdir
RUN semgrep -f p/xss
# ok: use-workdir
RUN blah
# ok: use-workdir
RUN blah blahcd
Short Link: https://sg.run/4kXE