pip install Without --no-cache-dir

LOW

pip install without --no-cache-dir. Pip cache remains in image, adding 50-200 MB depending on dependencies.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfilepippythonpackage-managercacheoptimizationimage-sizebest-practice
CWE References
CWE-710

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-008 --project .
1
2
3
4
5
6
7
8
9
10
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

About This Rule

Understanding the vulnerability and how it is detected

This rule detects RUN instructions using `pip install` without the `--no-cache-dir` flag. By default, pip caches downloaded packages and wheels in `~/.cache/pip/`, which can add 50-200 MB to Docker images. The --no-cache-dir flag disables caching, significantly reducing image size for Python applications.

How to Fix

Recommended remediation steps

  • 1Review your Dockerfile to address the pip install without --no-cache-dir issue
  • 2Follow Docker official best practices for image building
  • 3Use docker build --check to validate Dockerfile syntax and best practices

References

External resources and documentation

pip documentation: CachingDocker Best Practices: Python ApplicationsPython Official Docker Images Best PracticesPEP 517: Build System Independence

Similar Rules

Explore related security rules for Docker

MEDIUM

Base Image Uses :latest Tag

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

LOW

apt-get Without --no-install-recommends

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Frequently Asked Questions

Common questions about pip install Without --no-cache-dir

pip install without --no-cache-dir. Pip cache remains in image, adding 50-200 MB depending on dependencies.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

New feature

Get these findings posted directly on your GitHub pull requests

The pip install Without --no-cache-dir rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →