Best Practices

Detects RUN instructions using Alpine Linux's apk add command without the --no-cache flag, which unnecessarily increases Docker image size by 2-5 MB.

Detects usage of the deprecated MAINTAINER instruction, which has been deprecated since Docker 1.13 in favor of LABEL instructions with standardized OCI metadata keys.

Detects Dockerfiles without a HEALTHCHECK instruction, which prevents orchestrators from monitoring container health and automatically restarting failing containers.

Detects pip install without --no-cache-dir flag, which leaves pip cache in the image adding 50-200 MB depending on dependencies.

Detects FROM instructions using :latest tag or no tag, which makes builds non-reproducible and can introduce unexpected breaking changes or security vulnerabilities.

Detects use of apk upgrade in Dockerfiles, which creates unpredictable, non-reproducible builds.

Detects use of apt-get upgrade or dist-upgrade in Dockerfiles, which creates unpredictable, non-reproducible images.

Detects use of dnf update in Dockerfiles, which creates unpredictable, non-reproducible builds.

Detects FROM instructions with --platform flag, which reduces portability by hardcoding platform architecture.

Detects use of yum update in Dockerfiles, which creates unpredictable, non-reproducible builds.

Detects use of zypper update in Dockerfiles, which creates unpredictable, non-reproducible builds.

Detects apt-get install without -y flag, which can cause builds to hang waiting for user input.

Detects dnf install without -y flag for non-interactive builds.

Detects dnf install commands without subsequent dnf clean all, which unnecessarily increases image size.

Detects FROM instructions using latest tag or no tag, creating non-reproducible builds.

Detects yum install without -y flag for non-interactive builds.

Detects yum install without yum clean all, leaving package cache and increasing image size.

Detects zypper install without zypper clean, which increases image size.

Detects RUN commands using cd which doesn't persist between instructions. Use WORKDIR instead.

Detects use of apt instead of apt-get, which provides better script stability in Dockerfiles.

Detects use of ADD instruction when COPY would suffice. ADD has implicit behavior that can be surprising and create security risks.

Detects shell form for CMD/ENTRYPOINT which doesn't handle signals correctly. Use exec form (JSON) for proper signal handling.

Detects apt-get install without removing /var/lib/apt/lists/*, which wastes image space.

Detects RUN instructions using pipes without set -o pipefail, which masks failures in piped commands.

Detects WORKDIR with relative paths, which can be confusing and error-prone.

Detects installation of both wget and curl, which wastes space. Choose one tool for downloads.

Detects use of cd in RUN commands without WORKDIR. WORKDIR is more explicit and persistent.

Detects apt-get install without --no-install-recommends flag, which installs unnecessary packages increasing image size and attack surface.