#dockerfile
Rulesets (5)
r2cSelected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.
r2cSelected rules from Hadolint, a Dockerfile linter, rewritten in Semgrep.
r2cSecurity checks for lockfiles.
Rules (40)
returntocorpMultiple CMD instructions were found. Only the last one will take effect.
returntocorpThe last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.
returntocorpThis 'apt-get install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpDocker build time arguments are not suited for secrets, because the argument values are saved with the image. Running `docker image history` on the image will show information on how the image was built, including arguments. If these contain secrets, anyone with access to the docker image can access those secrets.
returntocorpTo ensure reproducible and deterministic builds, when performing yarn install, make sure to use the lockfile. Yarn will update the lockfile rather than using the pinned versions. By using `--immutable` yarn will throw an exit code if the lockfile was to be modified.
returntocorpPackages in base images should be up-to-date, removing the need for 'apk upgrade'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers.
returntocorpPackages in base images should be up-to-date, removing the need for 'dnf update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpImages should be tagged with an explicit version to produce deterministic container images. The 'latest' tag may change the base container without warning.
returntocorpDetected docker image with no explicit version attached. Images should be tagged with an explicit version to produce deterministic container images -- attach a version when using `FROM <image>`.
returntocorpThe package cache was not deleted after running 'apt-get update', which increases the size of the image. Remove the package cache by appending '&& apt-get clean' at the end of apt-get command chain.
returntocorpThe package lists were not deleted after running 'apt-get update', which increases the size of the image. Remove the package lists by appending '&& rm -rf /var/lib/apt/lists/*' at the end of apt-get command chain.
returntocorpOnly the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with `SHELL ["/bin/ash"]`.
returntocorp'wget' and 'curl' are similar tools. Choose one and do not install the other to decrease image size.
returntocorpUse the SHELL instruction to set the default shell instead of overwriting '/bin/sh'.
returntocorpAs recommended by Docker's documentation, it is best to use 'WORKDIR' instead of 'RUN cd ...' for improved clarity and reliability. Also, 'RUN cd ...' may not work as expected in a container.
returntocorpMultiple ENTRYPOINT instructions were found. Only the last one will take effect.
returntocorpBy not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
returntocorpBy not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
returntocorpThis '$PIP install' is missing '--no-cache-dir'. This flag prevents package archives from being kept around, thereby reducing image size. Add '--no-cache-dir'.
returntocorpThis zypper command does not end with '&& zypper clean'. Running 'zypper clean' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpTo ensure reproducible builds, pin Dockerfile `FROM` commands to a specific hash. You can find the hash by running `docker pull $IMAGE` and then specify it with `$IMAGE:$VERSION@sha256:<hash goes here>`
returntocorpUsing '--platform' with FROM restricts the image to build on a single platform. Further, this must be the same as the build platform. If you intended to specify the target platform, use the utility 'docker buildx --platform=' instead.
returntocorpPackages in base images should be up-to-date, removing the need for 'yum update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpPackages in base images should be up-to-date, removing the need for 'zypper update'. If packages are out-of-date, consider contacting the base image maintainer.
returntocorpMAINTAINER has been deprecated.
returntocorpThis apk command is missing '--no-cache'. This forces apk to use a package index instead of a local package cache, removing the need for '--update' and the deletion of '/var/cache/apk/*'. Add '--no-cache' to your apk command.
returntocorpThis 'dnf install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpThis dnf command does not end with '&& dnf clean all'. Running 'dnf clean all' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpThis 'apt-get install' is missing '--no-install-recommends'. This prevents unnecessary packages from being installed, thereby reducing image size. Add '--no-install-recommends'.
returntocorpThis '$PIP install' is missing '--no-cache-dir'. This flag prevents package archives from being kept around, thereby reducing image size. Add '--no-cache-dir'.
returntocorpThis 'yum install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpThis zypper command does not end with '&& zypper clean'. Running 'zypper clean' will remove cached data and reduce package size. (This must be performed in the same RUN step.)
returntocorpSome commands such as `$CMD` do not make sense in a container. Do not use these.
returntocorp'apt-get' is preferred as an unattended tool for stability. 'apt' is discouraged.
returntocorpThe ADD command will accept and include files from a URL and automatically extract archives. This potentially exposes the container to a man-in-the-middle attack or other attacks if a malicious actor can tamper with the source archive. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred.
returntocorpPrefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS.
returntocorpThe last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.
returntocorpThis 'zypper install' is missing the '-y' switch. This might stall builds because it requires human intervention. Add the '-y' switch.
returntocorpDetected an invalid port number. Valid ports are 0 through 65535.