Best Practices
Docker best practices and optimization rules
Run All Best Practices Rules
pathfinder scan --ruleset cpf/docker/best-practicesRules
Base Image Uses :latest Tag
mediumDetects FROM instructions using :latest tag which makes builds non-reproducible
Missing Healthcheck
mediumContainer without HEALTHCHECK instruction cannot be monitored for health status
Deprecated MAINTAINER Instruction
lowMAINTAINER instruction deprecated since Docker 1.13, use LABEL with OCI metadata keys instead
apt-get Without --no-install-recommends
lowapt-get install without --no-install-recommends bloats images by 30-50% with unnecessary packages
Avoid apt-get upgrade
mediumapt-get upgrade creates non-reproducible builds. Use specific base image versions instead
apk add Without --no-cache
lowAlpine apk without --no-cache leaves package cache in image, adding 2-5 MB unnecessary data
pip install Without --no-cache-dir
lowpip without --no-cache-dir leaves cache in ~/.cache/pip/, adding 50-200 MB to images
Missing pipefail in Shell Commands
mediumShell pipes without pipefail mask failures in earlier commands, only returning last command exit code
Prefer COPY Over ADD
lowADD has implicit behavior (tar extraction, URL download) that can be surprising. Use COPY unless you need ADD features
Missing yum clean all
lowyum install without yum clean all leaves package cache, unnecessarily increasing image size
Missing dnf clean all
lowdnf install without dnf clean all leaves package cache, unnecessarily increasing image size
Remove apt Package Lists
lowapt-get without removing /var/lib/apt/lists/* wastes space with package metadata not needed at runtime
Missing Image Version
highUsing latest or untagged images creates non-reproducible builds that can break unexpectedly
Prefer JSON Notation for CMD/ENTRYPOINT
lowShell form wraps commands in /bin/sh -c which does not pass signals correctly. Use exec form (JSON) for proper signal handling
Use WORKDIR Instead of cd
lowUsing cd in RUN commands is error-prone and does not persist. WORKDIR is explicit and affects all subsequent instructions
Use Absolute Path in WORKDIR
lowWORKDIR should use absolute paths starting with /. Relative paths can be confusing and error-prone
Avoid zypper update
mediumzypper update in Dockerfiles creates non-reproducible builds. Use specific base image versions instead
Missing zypper clean
lowzypper install without zypper clean increases image size with unnecessary cache
Missing -y flag for apt-get
lowapt-get install without -y flag may hang in non-interactive builds waiting for user input
Prefer apt-get over apt
lowUse apt-get instead of apt for better script stability in Dockerfiles. apt output format may change
Install Only One of wget or curl
lowInstalling both wget and curl wastes space. Choose one tool for HTTP operations
Missing -y flag for yum
lowyum install without -y flag may hang in non-interactive builds
Missing -y flag for dnf
lowdnf install without -y flag may hang in non-interactive builds
Avoid --platform Flag with FROM
lowFROM with --platform flag reduces portability. Let Docker handle platform selection automatically
Avoid apk upgrade
mediumapk upgrade in Dockerfiles creates non-reproducible builds. Use specific base image versions
Avoid yum update
mediumyum update creates non-reproducible builds. Use specific base image versions instead
Avoid dnf update
mediumdnf update creates non-reproducible builds. Use specific base image versions instead
Nonsensical Command
lowRUN command uses cd which does not persist across layers. Use WORKDIR instead