Remove apt Package Lists

LOW

apt-get install without removing /var/lib/apt/lists/*. This wastes image space.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfileapt-getpackage-managerubuntudebiancachecleanupimage-sizeoptimizationbest-practice
CWE References
CWE-710

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-014 --project .
1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

About This Rule

Understanding the vulnerability and how it is detected

Detects 'apt-get install' without removing /var/lib/apt/lists/*. Package lists contain repository metadata that is not needed at runtime and wastes space. This is specific to Debian/Ubuntu based images.

How to Fix

Recommended remediation steps

  • 1Use apt-get instead of apt in Dockerfiles for stable CLI behavior
  • 2Always run apt-get update && apt-get install in the same RUN instruction
  • 3Add --no-install-recommends to minimize installed packages
  • 4Clean up with rm -rf /var/lib/apt/lists/* in the same layer

References

External resources and documentation

Docker Best PracticesDockerfile Best Practice: Remove apt package lists after install

Similar Rules

Explore related security rules for Docker

MEDIUM

Base Image Uses :latest Tag

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

LOW

apt-get Without --no-install-recommends

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Frequently Asked Questions

Common questions about Remove apt Package Lists

apt is designed for interactive use and its output format may change between versions. apt-get provides a stable CLI interface suitable for scripting and Dockerfiles.
Docker caches layers. If apt-get update is in a separate RUN, the package index cache may be stale when install runs, causing package-not-found errors.

New feature

Get these findings posted directly on your GitHub pull requests

The Remove apt Package Lists rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →