# DOCKER-BP-020: Missing zypper clean

> **Severity:** LOW | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-020
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-020 --project .`

## Description

Detects 'zypper install' commands without subsequent 'zypper clean'.
Package manager caches unnecessarily increase image size by storing package metadata
and repository information that is not needed at runtime.

## Vulnerable Code

```python
FROM opensuse/leap:15.4

# Bad: Leaves zypper cache, increases image size
RUN zypper install -y nginx
```

## Secure Code

```python
FROM opensuse/leap:15.4

# Good: Cleans cache in same layer
RUN zypper install -y nginx && zypper clean
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction
from rules.container_combinators import all_of


@dockerfile_rule(
    id="DOCKER-BP-020",
    name="Missing zypper clean",
    severity="LOW",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,zypper,package-manager,opensuse,suse,cache,cleanup,image-size,optimization,best-practice",
    message="RUN uses 'zypper install' without 'zypper clean'. This increases image size."
)
def missing_zypper_clean():
    return all_of(
        instruction(type="RUN", contains="zypper install"),
        instruction(type="RUN", not_contains="zypper clean")
    )
```

## How to Fix

- Review your Dockerfile to address the missing zypper clean issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag missing zypper clean?**

RUN uses 'zypper install' without 'zypper clean'. This increases image size.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Dockerfile Best Practice: Avoid zypper clean all](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-020
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis