# DOCKER-BP-007: apk add Without --no-cache

> **Severity:** LOW | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-007
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-007 --project .`

## Description

This rule detects RUN instructions using Alpine Linux's `apk add` command without
the `--no-cache` flag. Alpine's package manager caches downloaded packages in
`/var/cache/apk/`, which unnecessarily increases Docker image size. The --no-cache
flag prevents caching, keeping images minimal.

## Vulnerable Code

```python
FROM alpine:3.19

# Bad: Leaves package cache in image
RUN apk update
RUN apk add \
    nginx \
    curl \
    ca-certificates

# Cache files remain in /var/cache/apk/*
# Adds 2-5 MB of unnecessary data
```

## Secure Code

```python
FROM alpine:3.19

# Good: No cache retained
RUN apk add --no-cache \
    nginx \
    curl \
    ca-certificates

# Even better: Pin versions
RUN apk add --no-cache \
    nginx=1.24.0-r15 \
    curl=8.4.0-r0 \
    ca-certificates=20230506-r0
```

## Detection Rule (Python SDK)

```python
from codepathfinder.container_decorators import dockerfile_rule
from codepathfinder.container_matchers import instruction
from codepathfinder.container_combinators import all_of


@dockerfile_rule(
    id="DOCKER-BP-007",
    name="apk add Without --no-cache",
    severity="LOW",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,apk,package-manager,alpine,cache,optimization,image-size,best-practice,linux",
    message="apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB."
)
def apk_without_no_cache():
    """
    Detects apk add without --no-cache flag for Alpine images.

    The --no-cache flag prevents package cache from being stored
    in the image, reducing size by 20-30% for Alpine-based images.
    """
    return all_of(
        instruction(type="RUN", contains="apk add"),
        instruction(type="RUN", not_contains="--no-cache")
    )
```

## How to Fix

- Review your Dockerfile to address the apk add without --no-cache issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag apk add without --no-cache?**

apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Alpine Linux Package Management](https://wiki.alpinelinux.org/wiki/Alpine_Package_Keeper)
- [Docker Official Images: Alpine Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Alpine Linux Wiki: Package Management](https://wiki.alpinelinux.org/wiki/Alpine_Package_Keeper)
- [Docker Multi-Stage Builds with Alpine](https://docs.docker.com/build/building/multi-stage/)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-007
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis