# DOCKER-BP-023: Prefer apt-get over apt > **Severity:** LOW | **CWE:** CWE-710 - **Language:** Docker - **Category:** Best Practice - **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-023 - **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-023 --project .` ## Description Detects use of 'apt' command instead of 'apt-get' in Dockerfiles. The 'apt' command is designed for interactive use and has an unstable CLI interface that may change between versions, making builds less reproducible. ## Vulnerable Code ```python FROM ubuntu:22.04 # Bad: apt is for interactive use, unstable in scripts RUN apt update && apt install -y nginx ``` ## Secure Code ```python FROM ubuntu:22.04 # Good: apt-get has stable CLI for scripting RUN apt-get update && apt-get install -y nginx ``` ## Detection Rule (Python SDK) ```python from rules.container_decorators import dockerfile_rule from rules.container_matchers import instruction from rules.container_combinators import all_of @dockerfile_rule( id="DOCKER-BP-023", name="Prefer apt-get over apt", severity="LOW", cwe="CWE-710", category="best-practice", tags="docker,dockerfile,apt,apt-get,package-manager,ubuntu,debian,scripting,stability,reproducibility,best-practice", message="Use apt-get instead of apt for better script stability in Dockerfiles." ) def prefer_apt_get(): return all_of( instruction(type="RUN", regex=r"\bapt\s+install"), instruction(type="RUN", not_contains="apt-get") ) ``` ## How to Fix - Use apt-get instead of apt in Dockerfiles for stable CLI behavior - Always run apt-get update && apt-get install in the same RUN instruction - Add --no-install-recommends to minimize installed packages - Clean up with rm -rf /var/lib/apt/lists/* in the same layer ## FAQ **Q: Why use apt-get instead of apt?** apt is designed for interactive use and its output format may change between versions. apt-get provides a stable CLI interface suitable for scripting and Dockerfiles. **Q: Why combine update and install in one RUN?** Docker caches layers. If apt-get update is in a separate RUN, the package index cache may be stale when install runs, causing package-not-found errors. ## References - [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) - [Dockerfile Best Practice: Avoid apt instead of apt-get](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get) - [Debian apt vs apt-get documentation](https://wiki.debian.org/AptCLI) --- Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-023 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis