# DOCKER-COR-003: Multiple CMD Instructions

> **Severity:** MEDIUM | **CWE:** CWE-710

- **Language:** Docker
- **Category:** Correctness
- **URL:** https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-003
- **Detection:** `pathfinder scan --ruleset docker/DOCKER-COR-003 --project .`

## Description

Detects Dockerfiles with multiple CMD instructions. Docker only honors
the last CMD, making earlier ones misleading and potentially causing
unexpected runtime behavior. This can lead to confusion and bugs.

## Vulnerable Code

```python
FROM ubuntu:22.04

# Bad: Multiple CMDs - only last one is used
CMD ["echo", "first"]       # Ignored silently
CMD ["python3", "app.py"]   # Ignored silently
CMD ["nginx", "-g", "daemon off;"]  # Only this one takes effect
```

## Secure Code

```python
FROM ubuntu:22.04

# Good: Single CMD per Dockerfile
CMD ["nginx", "-g", "daemon off;"]

# Or use multi-stage builds if you need different commands:
FROM ubuntu:22.04 AS builder
CMD ["make", "build"]

FROM ubuntu:22.04 AS runtime
CMD ["nginx", "-g", "daemon off;"]
```

## Detection Rule (Python SDK)

```python
from codepathfinder.container_decorators import dockerfile_rule
from codepathfinder.container_matchers import instruction


@dockerfile_rule(
    id="DOCKER-COR-003",
    name="Multiple CMD Instructions",
    severity="MEDIUM",
    cwe="CWE-710",
    category="correctness",
    tags="docker,dockerfile,cmd,correctness,configuration,maintainability,confusing,anti-pattern",
    message="Multiple CMD instructions detected. Only the last one takes effect."
)
def multiple_cmd_instructions():
    return instruction(type="CMD")
```

## How to Fix

- Review your Dockerfile to address the multiple cmd instructions issue
- Follow Docker official best practices for image building
- Use docker build --check to validate Dockerfile syntax and best practices

## FAQ

**Q: Why does this rule flag multiple cmd instructions?**

Multiple CMD instructions detected. Only the last one takes effect.

**Q: How do I fix this?**

Review the secure code example in the playground above and apply the recommended pattern to your Dockerfile or docker-compose.yml.

## References

- [Docker Documentation: CMD instruction](https://docs.docker.com/reference/dockerfile/#cmd)
- [Dockerfile Best Practice: Multiple ENTRYPOINT instructions](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#entrypoint)
- [Docker Best Practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)

---

Source: https://codepathfinder.dev/registry/docker/correctness/DOCKER-COR-003
Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis