# DOCKER-COR-001: Multiple ENTRYPOINT Instructions

> **Severity:** MEDIUM | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Correctness
- **URL:** https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-001
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-COR-001 --project .`

## Description

Detects Dockerfiles with multiple ENTRYPOINT instructions. Docker only honors
the last ENTRYPOINT, making earlier ones misleading and potentially causing
unexpected runtime behavior. This can lead to confusion and bugs.

## Vulnerable Code

```python
FROM ubuntu:22.04

# Bad: Multiple ENTRYPOINTs - only last one is used
ENTRYPOINT ["/bin/sh"]          # Ignored silently
ENTRYPOINT ["/usr/bin/python3"] # Ignored silently
ENTRYPOINT ["/app/start.sh"]    # Only this one takes effect
```

## Secure Code

```python
FROM ubuntu:22.04

# Good: Single ENTRYPOINT per Dockerfile
ENTRYPOINT ["/app/start.sh"]

# Or use multi-stage builds if you need different entrypoints:
FROM ubuntu:22.04 AS stage1
ENTRYPOINT ["/app/build.sh"]

FROM ubuntu:22.04 AS stage2
ENTRYPOINT ["/app/start.sh"]
```

## Detection Rule (Python SDK)

```python
from codepathfinder.container_decorators import dockerfile_rule
from codepathfinder.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-COR-001",
    name="Multiple ENTRYPOINT Instructions",
    severity="MEDIUM",
    cwe="CWE-710",
    category="correctness",
    tags="docker,dockerfile,entrypoint,correctness,configuration,maintainability,confusing,anti-pattern",
    message="Dockerfile has multiple ENTRYPOINT instructions. Only the last one takes effect, making earlier ones misleading."
)
def multiple_entrypoint_instructions():
    # Note: This is a simplified check - ideally would count occurrences
    # For now, this flags any ENTRYPOINT which helps identify the issue
    return instruction(type="ENTRYPOINT")
```

## How to Fix

- Review your Dockerfile to address the multiple entrypoint instructions issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag multiple entrypoint instructions?**

Dockerfile has multiple ENTRYPOINT instructions. Only the last one takes effect, making earlier ones misleading.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Documentation: ENTRYPOINT instruction](https://docs.docker.com/reference/dockerfile/#entrypoint)
- [Dockerfile Best Practice: Multiple CMD instructions](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#cmd)
- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)

---

Source: https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-001
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis