# DOCKER-BP-016: Prefer JSON Notation for CMD/ENTRYPOINT > **Severity:** LOW | **CWE:** CWE-710 - **Language:** Docker - **Category:** Best Practice - **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-016 - **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-016 --project .` ## Description Detects CMD or ENTRYPOINT using shell form instead of exec form (JSON array). Shell form wraps commands in /bin/sh -c, which creates issues with signal handling, process management, and adds an unnecessary shell layer. ## Vulnerable Code ```python FROM nginx:alpine # Bad: Shell form - signals not handled correctly CMD nginx -g "daemon off;" ENTRYPOINT /app/start.sh ``` ## Secure Code ```python FROM nginx:alpine # Good: Exec form (JSON) - proper signal handling CMD ["nginx", "-g", "daemon off;"] ENTRYPOINT ["/app/start.sh"] ``` ## Detection Rule (Python SDK) ```python from rules.container_decorators import dockerfile_rule from rules.container_matchers import instruction from rules.container_combinators import any_of @dockerfile_rule( id="DOCKER-BP-016", name="Prefer JSON Notation for CMD/ENTRYPOINT", severity="LOW", cwe="CWE-710", category="best-practice", tags="docker,dockerfile,cmd,entrypoint,exec-form,json,signal-handling,best-practice,process-management,pid1", message="Use JSON notation (exec form) for CMD/ENTRYPOINT for proper signal handling." ) def prefer_json_notation(): return any_of( instruction(type="CMD", command_form="shell"), instruction(type="ENTRYPOINT", command_form="shell") ) ``` ## How to Fix - Review your Dockerfile to address the prefer json notation for cmd/entrypoint issue - Follow Docker official best practices for image building - Use docker build --check to validate Dockerfile syntax and best practices ## FAQ **Q: Why does this rule flag prefer json notation for cmd/entrypoint?** Use JSON notation (exec form) for CMD/ENTRYPOINT for proper signal handling. **Q: How do I fix this?** Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml. ## References - [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) - [Dockerfile Best Practice: Use JSON notation for CMD/ENTRYPOINT](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#cmd) - [Docker ENTRYPOINT documentation](https://docs.docker.com/reference/dockerfile/#entrypoint) --- Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-016 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis