generic.dockerfile.best-practice.missing-yum-clean-all.missing-yum-clean-all

profile photo of semgrepsemgrep
Author
2,919
Download Count*
LGPL Commons Clause
License

This yum command does not end with '&& yum clean all'. Running 'yum clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-yum-clean-all
    severity: WARNING
    languages:
      - generic
    patterns:
      - pattern: yum $COMMAND
      - pattern-not-inside: RUN ... && yum clean all
      - pattern-not-inside: RUN ... && \ yum clean all
    message: This yum command does not end with '&& yum clean all'. Running 'yum
      clean all' will remove cached data and reduce package size. (This must be
      performed in the same RUN step.)
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3032
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3032
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"

Examples

missing-yum-clean-all.dockerfile

FROM centos

# ok: missing-yum-clean-all
RUN yum update \
    && yum install foo-1.0 \
    && yum clean all

# ok: missing-yum-clean-all
RUN yum update && \
    yum install foo-1.0 && \
    yum clean all

# ruleid: missing-yum-clean-all
RUN yum install foo-1.0