dockerfile.correctness.missing-assume-yes-switch.missing-assume-yes-switch

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

This 'apt-get install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-assume-yes-switch
    patterns:
      - pattern: |
          RUN ... apt-get install ... $MULTIFLAG ... 
      - pattern-not: |
          RUN ... apt-get install ... --assume-yes ...
      - pattern-not: |
          RUN ... apt-get install ... --yes ...
      - pattern-not: |
          RUN ... apt-get install ... -y ...
      - metavariable-regex:
          metavariable: $MULTIFLAG
          regex: (^([^-])|(-[^y]+)$)
    languages:
      - dockerfile
    message: This 'apt-get install' is missing the '-y' switch. This might stall
      builds because it requires human intervention. Add the '-y' switch.
    severity: WARNING
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3014
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3014
      category: correctness
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-assume-yes-switch.dockerfile

FROM debian
# ruleid: missing-assume-yes-switch
RUN apt-get install semgrep=0.30.0

# ok: missing-assume-yes-switch
RUN apt-get install -y python=2.7 semgrep

# ok: missing-assume-yes-switch
RUN apt-get install --no-install-recommends -y python=2.7 semgrep

# ok: missing-assume-yes-switch
RUN apt-get install -y python=2.7

# ok: missing-assume-yes-switch
RUN apt-get install --yes python=2.7

#ok: missing-assume-yes-switch
RUN apt-get install -qqy

#ok: missing-assume-yes-switch
RUN apt-get install -yqq

# ok: missing-assume-yes-switch
RUN apt-get update \
    && apt-get install -y --no-install-recommends \
    python3 \
    python3-pip \
    python3-setuptools \
    libpython3-dev \
    python3-dev \
    git \
    ca-certificates \
    zip \
    jq \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# ruleid: missing-assume-yes-switch
RUN apt-get update \
    && apt-get install --no-install-recommends \
    python3 \
    python3-pip \
    python3-setuptools \
    libpython3-dev \
    python3-dev \
    git \
    ca-certificates \
    zip \
    jq \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# ok: missing-assume-yes-switch
RUN apt-get update \
    && apt-get install --assume-yes --no-install-recommends \
    python3 \
    python3-pip \
    python3-setuptools \
    libpython3-dev \
    python3-dev \
    git \
    ca-certificates \
    zip \
    jq \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*