Rule Information
Tags
dockerdockerfileapt-getpackage-managerautomationci-cdbuildubuntudebianbest-practicenon-interactive
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-BP-021 --project .1
2
3
4
5
6
7
8
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Rule
Understanding the vulnerability and how it is detected
apt-get install without -y flag. Add -y or --yes for non-interactive builds.
How to Fix
Recommended remediation steps
- 1Use apt-get instead of apt in Dockerfiles for stable CLI behavior
- 2Always run apt-get update && apt-get install in the same RUN instruction
- 3Add --no-install-recommends to minimize installed packages
- 4Clean up with rm -rf /var/lib/apt/lists/* in the same layer
Similar Rules
Explore related security rules for Docker
MEDIUM
Base Image Uses :latest Tag
Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.
INFO
Deprecated MAINTAINER Instruction
MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.
LOW
apt-get Without --no-install-recommends
apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.
Frequently Asked Questions
Common questions about Missing -y flag for apt-get
apt is designed for interactive use and its output format may change between versions. apt-get provides a stable CLI interface suitable for scripting and Dockerfiles.
Docker caches layers. If apt-get update is in a separate RUN, the package index cache may be stale when install runs, causing package-not-found errors.
New feature
Get these findings posted directly on your GitHub pull requests
The Missing -y flag for apt-get rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.