# DOCKER-BP-030: Nonsensical Command

> **Severity:** LOW | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Best Practice
- **URL:** https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-030
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-BP-030 --project .`

## Description

Detects 'cd' command appearing in the middle or end of a RUN instruction
chain (after ; or &&). Using cd this way is confusing and indicates the
developer may not understand that WORKDIR should be used instead.

## Vulnerable Code

```python
FROM ubuntu:22.04

# Bad: cd in chain is confusing and pointless
RUN apt-get update && cd /tmp && apt-get install -y nginx
RUN mkdir /app; cd /app; touch file.txt
```

## Secure Code

```python
FROM ubuntu:22.04

# Good: Use WORKDIR to change directories
RUN apt-get update && apt-get install -y nginx
WORKDIR /app
RUN touch file.txt
```

## Detection Rule (Python SDK)

```python
from rules.container_decorators import dockerfile_rule
from rules.container_matchers import instruction
from rules.container_combinators import any_of


@dockerfile_rule(
    id="DOCKER-BP-030",
    name="Nonsensical Command",
    severity="LOW",
    cwe="CWE-710",
    category="best-practice",
    tags="docker,dockerfile,cd,workdir,directory,shell,best-practice,anti-pattern,confusing",
    message="RUN command uses 'cd' which doesn't persist. Use WORKDIR instead."
)
def nonsensical_command():
    return any_of(
        instruction(type="RUN", regex=r";\s*cd\s+"),
        instruction(type="RUN", regex=r"&&\s*cd\s+")
    )
```

## How to Fix

- Review your Dockerfile to address the nonsensical command issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag nonsensical command?**

RUN command uses 'cd' which doesn't persist. Use WORKDIR instead.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)
- [Dockerfile Best Practice: Set SHELL with pipefail for RUN pipes](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run)

---

Source: https://codepathfinder.dev/registry/docker/best-practice/DOCKER-BP-030
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis