Avoid apt-get upgrade

MEDIUM

Avoid apt-get upgrade in Dockerfiles. Use specific base image versions instead.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfileapt-getupgradepackage-managerubuntudebianreproducibilitybest-practiceanti-patternbuild
CWE References
CWE-710

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-006 --project .
1
2
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

About This Rule

Understanding the vulnerability and how it is detected

Detects use of `apt-get upgrade` or `apt-get dist-upgrade` in Dockerfiles. Running system upgrades in Docker builds creates unpredictable, non-reproducible images and can introduce breaking changes or security vulnerabilities.

How to Fix

Recommended remediation steps

  • 1Use apt-get instead of apt in Dockerfiles for stable CLI behavior
  • 2Always run apt-get update && apt-get install in the same RUN instruction
  • 3Add --no-install-recommends to minimize installed packages
  • 4Clean up with rm -rf /var/lib/apt/lists/* in the same layer

References

External resources and documentation

Docker Best PracticesDockerfile Best Practice: Avoid apt-get upgrade

Similar Rules

Explore related security rules for Docker

MEDIUM

Base Image Uses :latest Tag

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

LOW

apt-get Without --no-install-recommends

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Frequently Asked Questions

Common questions about Avoid apt-get upgrade

apt is designed for interactive use and its output format may change between versions. apt-get provides a stable CLI interface suitable for scripting and Dockerfiles.
Docker caches layers. If apt-get update is in a separate RUN, the package index cache may be stale when install runs, causing package-not-found errors.

New feature

Get these findings posted directly on your GitHub pull requests

The Avoid apt-get upgrade rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →