generic.dockerfile.best-practice.prefer-json-notation.prefer-json-notation

returntocorp

Author

2,483

Download Count*

LGPL Commons Clause

License

Prefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: prefer-json-notation
    severity: INFO
    languages:
      - generic
    message: Prefer JSON notation when using CMD or ENTRYPOINT. This allows signals
      to be passed from the OS.
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3025
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3025
        - https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#cmd
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"
    pattern-either:
      - patterns:
          - pattern: CMD $WORD
          - pattern-not-inside: CMD [...]
      - patterns:
          - pattern: ENTRYPOINT $WORD
          - pattern-not-inside: ENTRYPOINT [...]

Examples

prefer-json-notation.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3025

FROM busybox
# ruleid:  prefer-json-notation
ENTRYPOINT s3cmd
# ruleid: prefer-json-notation
CMD my-service server

# ok: prefer-json-notation
ENTRYPOINT ["s3cmd"]
# ok: prefer-json-notation
CMD ["my-service", "server"]

Short Link: https://sg.run/l2O5