# DOCKER-BP-018: Use Absolute Path in WORKDIR

> **Severity:** LOW | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-018
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-018 --project .`

## Description

Detects WORKDIR instructions using relative paths instead of absolute paths.
Relative paths can lead to confusion about the actual working directory and
make Dockerfiles harder to understand and maintain.

## Vulnerable Code

```python
FROM node:18

# Bad: Relative path - where is this relative to?
WORKDIR app
WORKDIR src  # Now at some-unknown-path/app/src
```

## Secure Code

```python
FROM node:18

# Good: Absolute path - clear and unambiguous
WORKDIR /app
WORKDIR /app/src  # Clear full path
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-BP-018",
    name="Use Absolute Path in WORKDIR",
    severity="LOW",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,workdir,path,absolute-path,best-practice,clarity,maintainability,filesystem",
    message="WORKDIR should use absolute paths starting with /."
)
def use_absolute_workdir():
    return instruction(type="WORKDIR", workdir_not_absolute=True)
```

## How to Fix

- Review your Dockerfile to address the use absolute path in workdir issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag use absolute path in workdir?**

WORKDIR should use absolute paths starting with /.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Dockerfile Best Practice: Use absolute WORKDIR](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-018
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis