Rule Information
Tags
dockerdockerfileworkdircddirectorybest-practicemaintainabilityclarityanti-pattern
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-BP-017 --project .1
2
3
4
5
6
7
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Rule
Understanding the vulnerability and how it is detected
Detects use of 'cd' command in RUN instructions when WORKDIR is not used. Using 'cd' in RUN commands is error-prone, less clear, and doesn't persist across instructions. WORKDIR is the proper way to set working directory.
How to Fix
Recommended remediation steps
- 1Review your Dockerfile to address the use workdir instead of cd issue
- 2Follow Docker official best practices for image building
- 3Use docker build --check to validate Dockerfile syntax and best practices
References
External resources and documentation
Similar Rules
Explore related security rules for Docker
MEDIUM
Base Image Uses :latest Tag
Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.
INFO
Deprecated MAINTAINER Instruction
MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.
LOW
apt-get Without --no-install-recommends
apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.
Frequently Asked Questions
Common questions about Use WORKDIR Instead of cd
Use WORKDIR instruction instead of 'cd' in RUN commands.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.
New feature
Get these findings posted directly on your GitHub pull requests
The Use WORKDIR Instead of cd rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.