apk add Without --no-cache

LOW

apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB.

Rule Information

Language
Docker
Category
Best Practice
Author
Shivasurya
Shivasurya
Last Updated
2026-03-22
Tags
dockerdockerfileapkpackage-manageralpinecacheoptimizationimage-sizebest-practicelinux
CWE References
CWE-710

Interactive Playground

Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.

pathfinder scan --ruleset docker/DOCKER-BP-007 --project .
1
2
3
4
5
6
7
8
9
10
11
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

About This Rule

Understanding the vulnerability and how it is detected

This rule detects RUN instructions using Alpine Linux's `apk add` command without the `--no-cache` flag. Alpine's package manager caches downloaded packages in `/var/cache/apk/`, which unnecessarily increases Docker image size. The --no-cache flag prevents caching, keeping images minimal.

How to Fix

Recommended remediation steps

  • 1Review your Dockerfile to address the apk add without --no-cache issue
  • 2Follow Docker official best practices for image building
  • 3Use docker build --check to validate Dockerfile syntax and best practices

References

External resources and documentation

Alpine Linux Package ManagementDocker Official Images: Alpine Best PracticesAlpine Linux Wiki: Package ManagementDocker Multi-Stage Builds with Alpine

Similar Rules

Explore related security rules for Docker

MEDIUM

Base Image Uses :latest Tag

Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.

INFO

Deprecated MAINTAINER Instruction

MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.

LOW

apt-get Without --no-install-recommends

apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.

Frequently Asked Questions

Common questions about apk add Without --no-cache

apk add without --no-cache. Package cache remains in image, increasing size by 2-5 MB.
Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

New feature

Get these findings posted directly on your GitHub pull requests

The apk add Without --no-cache rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.

See how it works
Back to Best PracticeAll Languages →