Best Practice

dockerdockerfilefromimagetagversionlatestreproducibilitybest-practicesupply-chainimmutability

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

CWE-1188

dockerdockerfilemaintainerlabeldeprecatedmetadatabest-practiceocistandardslegacy

Deprecated MAINTAINER Instruction

INFO

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

apt-get Without --no-install-recommends

dockerdockerfileapt-getpackage-managerubuntudebianoptimizationimage-sizebest-practicebloatattack-surface

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Avoid apt-get upgrade

dockerdockerfileapt-getupgradepackage-managerubuntudebianreproducibilitybest-practiceanti-patternbuild

Avoid apt-get upgrade in Dockerfiles. Use specific base image versions instead.

Avoid dnf update

dockerdockerfilednfpackage-managerfedorarhelupdatereproducibilitybest-practiceanti-pattern

Avoid 'dnf update' in Dockerfiles. Use specific base image versions for reproducible builds.

Missing pipefail in Shell Commands

dockerdockerfileshellbashpipefailerror-handlingbest-practicereliabilitybuildpipes

RUN instruction uses pipes without 'set -o pipefail'. This masks failures in piped commands.

CWE-703

Prefer COPY Over ADD

dockerdockerfilecopyaddfile-operationsbest-practicetransparencypredictabilityanti-pattern

Use COPY instead of ADD for simple file operations. ADD has implicit behavior that can be surprising.

Missing yum clean all

dockerdockerfileyumpackage-managercentosrhelcachecleanupimage-sizeoptimizationbest-practice

RUN instruction uses 'yum install' without 'yum clean all'. This leaves package cache and increases image size.

Missing dnf clean all

dockerdockerfilednfpackage-managerfedorarhelcachecleanupimage-sizeoptimizationbest-practice

RUN uses 'dnf install' without 'dnf clean all'. This increases image size.

Remove apt Package Lists

dockerdockerfileapt-getpackage-managerubuntudebiancachecleanupimage-sizeoptimizationbest-practice

apt-get install without removing /var/lib/apt/lists/*. This wastes image space.

Prefer JSON Notation for CMD/ENTRYPOINT

dockerdockerfilecmdentrypointexec-formjsonsignal-handlingbest-practiceprocess-managementpid1

Use JSON notation (exec form) for CMD/ENTRYPOINT for proper signal handling.

Use WORKDIR Instead of cd

dockerdockerfileworkdircddirectorybest-practicemaintainabilityclarityanti-pattern

Use WORKDIR instruction instead of 'cd' in RUN commands.

Use Absolute Path in WORKDIR

dockerdockerfileworkdirpathabsolute-pathbest-practiceclaritymaintainabilityfilesystem

WORKDIR should use absolute paths starting with /.

Avoid zypper update

dockerdockerfilezypperpackage-manageropensusesuseupdatereproducibilitybest-practiceanti-pattern

Avoid 'zypper update' in Dockerfiles. Use specific base image versions for reproducible builds.

Missing zypper clean

dockerdockerfilezypperpackage-manageropensusesusecachecleanupimage-sizeoptimizationbest-practice

RUN uses 'zypper install' without 'zypper clean'. This increases image size.

Missing -y flag for apt-get

dockerdockerfileapt-getpackage-managerautomationci-cdbuildubuntudebianbest-practicenon-interactive

apt-get install without -y flag. Add -y or --yes for non-interactive builds.

Missing HEALTHCHECK Instruction

dockerdockerfilehealthcheckmonitoringobservabilityorchestrationkubernetesreliabilitybest-practiceavailability

No HEALTHCHECK instruction. Container health cannot be monitored by orchestrators, reducing reliability and observability.

Prefer apt-get over apt

dockerdockerfileaptapt-getpackage-managerubuntudebianscriptingstabilityreproducibilitybest-practice

Use apt-get instead of apt for better script stability in Dockerfiles.

Install Only One of wget or curl

dockerdockerfilewgetcurldownloadtoolsoptimizationimage-sizeredundancybest-practice

Installing both wget and curl wastes space. Choose one tool for downloads.

Missing -y flag for yum

dockerdockerfileyumpackage-managercentosrhelautomationci-cdbuildbest-practicenon-interactive

yum install without -y flag. Add -y for non-interactive builds.

Missing -y flag for dnf

dockerdockerfilednfpackage-managerfedorarhelautomationci-cdbuildbest-practicenon-interactive

dnf install without -y flag. Add -y for non-interactive builds.

Avoid --platform Flag with FROM

dockerdockerfilefromplatformmulti-archportabilitybuildxarchitecturebest-practice

FROM with --platform flag reduces portability. Let Docker handle platform selection.

Avoid apk upgrade

dockerdockerfileapkpackage-manageralpineupgradereproducibilitybest-practiceanti-pattern

Avoid 'apk upgrade' in Dockerfiles. Use specific base image versions instead for reproducible builds.

Avoid yum update

dockerdockerfileyumpackage-managercentosrhelupdatereproducibilitybest-practiceanti-pattern

Avoid 'yum update' in Dockerfiles. Use specific base image versions for reproducible builds.

Nonsensical Command

dockerdockerfilecdworkdirdirectoryshellbest-practiceanti-patternconfusing

RUN command uses 'cd' which doesn't persist. Use WORKDIR instead.

apk add Without --no-cache

dockerdockerfileapkpackage-manageralpinecacheoptimizationimage-sizebest-practicelinux

apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB.

pip install Without --no-cache-dir

dockerdockerfilepippythonpackage-managercacheoptimizationimage-sizebest-practice

pip install without --no-cache-dir. Pip cache remains in image, adding 50-200 MB depending on dependencies.

dockerdockerfilefromimagetagversionlatestreproducibilitybest-practicesupply-chaindependency-management

Missing Image Version

HIGH

FROM instruction uses 'latest' tag or no tag. Specify explicit versions for reproducible builds.

CWE-1188