# DOCKER-BP-010: Missing pipefail in Shell Commands

> **Severity:** MEDIUM | **CWE:** CWE-703

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-010
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-010 --project .`

## Description

Detects RUN instructions using shell pipes without `set -o pipefail`.
Without pipefail, a command pipeline only returns the exit code of the last command,
masking failures in earlier commands.

## Vulnerable Code

```python
RUN wget -O - https://example.com | tar xz  # ❌ wget failure ignored
```

## Secure Code

```python
RUN set -o pipefail && wget -O - https://example.com | tar xz  # ✅ Catches wget failures
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction
from rules.container_combinators import all_of


@dockerfile_rule(
    id="DOCKER-BP-010",
    name="Missing pipefail in Shell Commands",
    severity="MEDIUM",
    cwe="CWE-703",
    category="best-practice",
    tags="docker,dockerfile,shell,bash,pipefail,error-handling,best-practice,reliability,build,pipes",
    message="RUN instruction uses pipes without 'set -o pipefail'. This masks failures in piped commands."
)
def set_pipefail():
    return all_of(
        instruction(type="RUN", contains="|"),
        instruction(type="RUN", not_contains="set -o pipefail")
    )
```

## How to Fix

- Review your Dockerfile to address the missing pipefail in shell commands issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag missing pipefail in shell commands?**

RUN instruction uses pipes without 'set -o pipefail'. This masks failures in piped commands.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Dockerfile Best Practice: Set SHELL with pipefail for RUN pipes](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run)
- [Bash Manual: set builtin](https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-010
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis