# DOCKER-BP-029: Avoid yum update

> **Severity:** MEDIUM | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-029
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-029 --project .`

## Description

Detects use of 'yum update' in Dockerfiles. Running system updates in Docker builds
creates unpredictable, non-reproducible images and can introduce breaking changes or
security vulnerabilities.

## Vulnerable Code

```python
FROM centos:latest
RUN yum update -y  # Bad: Unpredictable, non-reproducible builds
RUN yum install -y httpd
```

## Secure Code

```python
FROM centos:8  # Specific version
RUN yum install -y httpd-2.4.37-43.module_el8.5.0
# Or install latest from specific base image
RUN yum install -y httpd
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-BP-029",
    name="Avoid yum update",
    severity="MEDIUM",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,yum,package-manager,centos,rhel,update,reproducibility,best-practice,anti-pattern",
    message="Avoid 'yum update' in Dockerfiles. Use specific base image versions for reproducible builds."
)
def avoid_yum_update():
    return instruction(type="RUN", contains="yum update")
```

## How to Fix

- Review your Dockerfile to address the avoid yum update issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag avoid yum update?**

Avoid 'yum update' in Dockerfiles. Use specific base image versions for reproducible builds.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Dockerfile Best Practice: Avoid apt-get upgrade](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-029
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis