Rule Information
Tags
dockerdockerfilecmdentrypointexec-formjsonsignal-handlingbest-practiceprocess-managementpid1
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-BP-016 --project .1
2
3
4
5
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
About This Rule
Understanding the vulnerability and how it is detected
Detects CMD or ENTRYPOINT using shell form instead of exec form (JSON array). Shell form wraps commands in /bin/sh -c, which creates issues with signal handling, process management, and adds an unnecessary shell layer.
How to Fix
Recommended remediation steps
- 1Review your Dockerfile to address the prefer json notation for cmd/entrypoint issue
- 2Follow Docker official best practices for image building
- 3Use docker build --check to validate Dockerfile syntax and best practices
References
External resources and documentation
Similar Rules
Explore related security rules for Docker
MEDIUM
Base Image Uses :latest Tag
Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.
INFO
Deprecated MAINTAINER Instruction
MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.
LOW
apt-get Without --no-install-recommends
apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.
Frequently Asked Questions
Common questions about Prefer JSON Notation for CMD/ENTRYPOINT
Use JSON notation (exec form) for CMD/ENTRYPOINT for proper signal handling.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.
New feature
Get these findings posted directly on your GitHub pull requests
The Prefer JSON Notation for CMD/ENTRYPOINT rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.