# DOCKER-BP-008: pip install Without --no-cache-dir

> **Severity:** LOW | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-008
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-008 --project .`

## Description

This rule detects RUN instructions using `pip install` without the `--no-cache-dir`
flag. By default, pip caches downloaded packages and wheels in `~/.cache/pip/`,
which can add 50-200 MB to Docker images. The --no-cache-dir flag disables caching,
significantly reducing image size for Python applications.

## Vulnerable Code

```python
FROM python:3.11-slim

WORKDIR /app
COPY requirements.txt .

# Bad: Retains pip cache
RUN pip install -r requirements.txt

# Cache remains in /root/.cache/pip/
# Adds 50-200 MB depending on dependencies
```

## Secure Code

```python
FROM python:3.11-slim

WORKDIR /app

# Copy only requirements first for layer caching
COPY requirements.txt .

# Good: No cache retained
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY . .

CMD ["python", "app.py"]
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction
from rules.container_combinators import all_of


@dockerfile_rule(
    id="DOCKER-BP-008",
    name="pip install Without --no-cache-dir",
    severity="LOW",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,pip,python,package-manager,cache,optimization,image-size,best-practice",
    message="pip install without --no-cache-dir. Pip cache remains in image, adding 50-200 MB depending on dependencies."
)
def pip_without_no_cache():
    """
    Detects pip install without --no-cache-dir flag.

    pip caches downloaded packages in /root/.cache/pip/ which can
    add 50-200 MB to images. Use --no-cache-dir or ENV PIP_NO_CACHE_DIR=1.
    """
    return all_of(
        instruction(type="RUN", contains="pip install"),
        instruction(type="RUN", not_contains="--no-cache-dir")
    )
```

## How to Fix

- Review your Dockerfile to address the pip install without --no-cache-dir issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag pip install without --no-cache-dir?**

pip install without --no-cache-dir. Pip cache remains in image, adding 50-200 MB depending on dependencies.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [pip documentation: Caching](https://pip.pypa.io/en/stable/topics/caching/)
- [Docker Best Practices: Python Applications](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Python Official Docker Images Best Practices](https://hub.docker.com/_/python)
- [PEP 517: Build System Independence](https://peps.python.org/pep-0517/)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-008
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis