generic.dockerfile.best-practice.use-absolute-workdir.use-absolute-workdir

profile photo of semgrepsemgrep
Author
3,970
Download Count*
LGPL Commons Clause
License

Detected a relative WORKDIR. Use absolute paths. This prevents issues based on assumptions about the WORKDIR of previous containers.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-absolute-workdir
    pattern-either:
      - patterns:
          - pattern: WORKDIR $VALUE
          - metavariable-pattern:
              metavariable: $VALUE
              patterns:
                - pattern-not-regex: (\/.*)
      - patterns:
          - pattern: ENV $VAR=$VALUE ... $CMD ${$VAR}
          - metavariable-pattern:
              metavariable: $VALUE
              patterns:
                - pattern-not-regex: (\/.*)
          - metavariable-pattern:
              metavariable: $CMD
              pattern: WORKDIR
          - focus-metavariable: $CMD
    message: Detected a relative WORKDIR. Use absolute paths. This prevents issues
      based on assumptions about the WORKDIR of previous containers.
    severity: WARNING
    languages:
      - generic
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3000
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3000
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"

Examples

use-absolute-workdir.dockerfile

FROM busybox

# ruleid: use-absolute-workdir
WORKDIR usr/src/app

# ok: use-absolute-workdir
WORKDIR /usr/src/app

ENV dirpath=bar
# ruleid: use-absolute-workdir
WORKDIR ${dirpath}

ENV dirpath=/bar
# ok: use-absolute-workdir
WORKDIR ${dirpath}