Prefer apt-get over apt

LOW

Use apt-get instead of apt for better script stability in Dockerfiles.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfileaptapt-getpackage-managerubuntudebianscriptingstabilityreproducibilitybest-practice
CWE References
CWE-710

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-023 --project .
1
2
3
4
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

About This Rule

Understanding the vulnerability and how it is detected

Detects use of 'apt' command instead of 'apt-get' in Dockerfiles. The 'apt' command is designed for interactive use and has an unstable CLI interface that may change between versions, making builds less reproducible.

How to Fix

Recommended remediation steps

  • 1Use apt-get instead of apt in Dockerfiles for stable CLI behavior
  • 2Always run apt-get update && apt-get install in the same RUN instruction
  • 3Add --no-install-recommends to minimize installed packages
  • 4Clean up with rm -rf /var/lib/apt/lists/* in the same layer

References

External resources and documentation

Docker Best PracticesDockerfile Best Practice: Avoid apt instead of apt-getDebian apt vs apt-get documentation

Similar Rules

Explore related security rules for Docker

MEDIUM

Base Image Uses :latest Tag

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

LOW

apt-get Without --no-install-recommends

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Frequently Asked Questions

Common questions about Prefer apt-get over apt

apt is designed for interactive use and its output format may change between versions. apt-get provides a stable CLI interface suitable for scripting and Dockerfiles.
Docker caches layers. If apt-get update is in a separate RUN, the package index cache may be stale when install runs, causing package-not-found errors.

New feature

Get these findings posted directly on your GitHub pull requests

The Prefer apt-get over apt rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →