apt-get Without --no-install-recommends

LOW

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfileapt-getpackage-managerubuntudebianoptimizationimage-sizebest-practicebloatattack-surface
CWE References
CWE-710

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-005 --project .
1
2
3
4
5
6
7
8
9
10
11
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

About This Rule

Understanding the vulnerability and how it is detected

This rule detects RUN instructions that use `apt-get install` without the `--no-install-recommends` flag. By default, apt installs both required packages and "recommended" packages, which are often unnecessary and significantly bloat Docker images, increasing attack surface and build/deploy times.

Security Implications

Potential attack scenarios if this vulnerability is exploited

1

Supply Chain Risks

Recommended packages may pull in: - Unmaintained dependencies - Packages from less-trusted sources - Transitive dependencies with vulnerabilities

2

Compliance Issues

- More packages = more licenses to track - Harder to maintain Software Bill of Materials (SBOM) - Difficult to audit all dependencies

How to Fix

Recommended remediation steps

  • 1Use apt-get instead of apt in Dockerfiles for stable CLI behavior
  • 2Always run apt-get update && apt-get install in the same RUN instruction
  • 3Add --no-install-recommends to minimize installed packages
  • 4Clean up with rm -rf /var/lib/apt/lists/* in the same layer

References

External resources and documentation

Debian Policy Manual: DependenciesDocker Best Practices: Minimize Layer SizeUbuntu Package Management GuideCIS Docker Benchmark: Image Optimization

Similar Rules

Explore related security rules for Docker

MEDIUM

Base Image Uses :latest Tag

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

MEDIUM

Avoid apt-get upgrade

Avoid apt-get upgrade in Dockerfiles. Use specific base image versions instead.

Frequently Asked Questions

Common questions about apt-get Without --no-install-recommends

apt is designed for interactive use and its output format may change between versions. apt-get provides a stable CLI interface suitable for scripting and Dockerfiles.
Docker caches layers. If apt-get update is in a separate RUN, the package index cache may be stale when install runs, causing package-not-found errors.

New feature

Get these findings posted directly on your GitHub pull requests

The apt-get Without --no-install-recommends rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →