generic.dockerfile.best-practice.set-pipefail.set-pipefail

profile photo of returntocorpreturntocorp
Author
2,919
Download Count*
LGPL Commons Clause
License

Only the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with SHELL ["/bin/ash"].

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: set-pipefail
    languages:
      - generic
    message: Only the exit code from the final command in this RUN instruction will
      be evaluated unless 'pipefail' is set. If you want to fail the command at
      any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash",
      "-o", "pipefail", "-c"] before the command. If you're using alpine and
      don't have bash installed, communicate this explicitly with `SHELL
      ["/bin/ash"]`.
    metadata:
      references:
        - https://github.com/hadolint/hadolint/wiki/DL4006
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4006
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"
    patterns:
      - pattern: RUN $CMD ... | $CMD2
      - pattern-not-inside: |
          SHELL [... "pipefail" ...]
          ...
          ...
      - pattern-not-inside: |
          SHELL ["/bin/ash" ...]
          ...
          ...
    severity: WARNING

Examples

set-pipefail.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL4006

FROM debian:jesse

# ruleid: set-pipefail
RUN wget -O - https://some.site | wc -l > /number

# ok: set-pipefail
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number