# DOCKER-BP-022: Missing HEALTHCHECK Instruction > **Severity:** LOW | **CWE:** CWE-710 - **Language:** Docker - **Category:** Best Practice - **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-022 - **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-022 --project .` ## Description This rule detects Dockerfiles that do not include a HEALTHCHECK instruction. Health checks allow Docker, Kubernetes, and other orchestrators to monitor container health and automatically restart or replace failing containers, improving application availability and resilience. ## Vulnerable Code ```python FROM python:3.11-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . # No HEALTHCHECK - orchestrator cannot detect app failures CMD ["python", "app.py"] ``` ## Secure Code ```python FROM python:3.11-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . # Health check: Test HTTP endpoint every 30s HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD curl --fail http://localhost:8000/health || exit 1 CMD ["python", "app.py"] ``` ## Detection Rule (Python SDK) ```python from rules.container_decorators import dockerfile_rule from rules.container_matchers import missing @dockerfile_rule( id="DOCKER-BP-022", name="Missing HEALTHCHECK Instruction", severity="LOW", cwe="CWE-710", category="best-practice", tags="docker,dockerfile,healthcheck,monitoring,observability,orchestration,kubernetes,reliability,best-practice,availability", message="No HEALTHCHECK instruction. Container health cannot be monitored by orchestrators, reducing reliability and observability." ) def missing_healthcheck(): """ Detects missing HEALTHCHECK instruction. Health checks allow Docker, Kubernetes, and other orchestrators to monitor application health and automatically restart failing containers, significantly improving availability. """ return missing(instruction="HEALTHCHECK") ``` ## How to Fix - Add a HEALTHCHECK instruction to enable container health monitoring - Use curl, wget, or a custom health check script - Set appropriate interval, timeout, and retries for your application ## FAQ **Q: Why add HEALTHCHECK to a Dockerfile?** HEALTHCHECK lets Docker and orchestrators like Kubernetes detect when your application is unhealthy and automatically restart or replace the container. **Q: What is a good health check command?** For web services: HEALTHCHECK CMD curl -f http://localhost:8080/health || exit 1. For non-HTTP services, use a custom script that verifies the application is responsive. ## References - [Docker HEALTHCHECK documentation](https://docs.docker.com/reference/dockerfile/#healthcheck) - [Kubernetes Liveness and Readiness Probes](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/) - [12-Factor App: Admin Processes](https://12factor.net/admin-processes) - [Production-Ready Health Checks (Microsoft)](https://learn.microsoft.com/en-us/dotnet/architecture/microservices/implement-resilient-applications/monitor-app-health) --- Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-022 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis