generic.dockerfile.best-practice.avoid-apt-get-upgrade.avoid-apt-get-upgrade

profile photo of returntocorpreturntocorp
Author
3,970
Download Count*

Packages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers.

Run Locally

Run in CI

Defintion

rules:
  - id: avoid-apt-get-upgrade
    message: Packages in base containers should be up-to-date, removing the need to
      upgrade or dist-upgrade. If a package is out of date, contact the
      maintainers.
    languages:
      - generic
    severity: WARNING
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3005
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3005
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"
    pattern-either:
      - pattern: RUN ... apt-get upgrade
      - pattern: RUN ... apt-get dist-upgrade

Examples

avoid-apt-get-upgrade.dockerfile

FROM debian

# ok: avoid-apt-get-upgrade
RUN apt-get update

# ruleid:avoid-apt-get-upgrade
RUN apt-get update && apt-get upgrade

# ruleid:avoid-apt-get-upgrade
RUN apt-get update && apt-get dist-upgrade

# ruleid:avoid-apt-get-upgrade
RUN apt-get upgrade