# DOCKER-BP-028: Avoid apk upgrade

> **Severity:** MEDIUM | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-028
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-028 --project .`

## Description

Avoid 'apk upgrade' in Dockerfiles. Use specific base image versions instead for reproducible builds.

## Vulnerable Code

```python
FROM alpine:3.19

# Bad: Using apk upgrade
# Makes builds non-reproducible
RUN apk update && apk upgrade
RUN apk add nginx
```

## Secure Code

```python
# Good: Use specific base image version
FROM alpine:3.19.0

# Install packages without upgrading
RUN apk add --no-cache nginx=1.24.0-r15

# If you need latest packages, update the base image version
# FROM alpine:3.20.0
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-BP-028",
    name="Avoid apk upgrade",
    severity="MEDIUM",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,apk,package-manager,alpine,upgrade,reproducibility,best-practice,anti-pattern",
    message="Avoid 'apk upgrade' in Dockerfiles. Use specific base image versions instead for reproducible builds."
)
def avoid_apk_upgrade():
    return instruction(type="RUN", contains="apk upgrade")
```

## How to Fix

- Review your Dockerfile to address the avoid apk upgrade issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag avoid apk upgrade?**

Avoid 'apk upgrade' in Dockerfiles. Use specific base image versions instead for reproducible builds.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-028
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis