CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
        • Audit
        • Best practice
        • Correctness
        • Security
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Dockerfile

    Best practice

    missing-dnf-clean-all

    This dnf command does not end with ’&& dnf clean all’. Running ‘dnf clean all’ will remove cached data and reduce package size. (This must be performed in the same RUN step.)

    prefer-json-notation

    Prefer JSON notation when using CMD or ENTRYPOINT. This allows signals to be passed from the OS.

    use-either-wget-or-curl

    ‘wget’ and ‘curl’ are similar tools. Choose one and do not install the other to decrease image size.

    nonsensical-command

    Some commands such as $CMD do not make sense in a container. Do not use these.

    avoid-zypper-update

    Packages in base images should be up-to-date, removing the need for ‘zypper update’. If packages are out-of-date, consider contacting the base image maintainer.

    missing-image-version

    Detected docker image with no explicit version attached. Images should be tagged with an explicit version to produce deterministic container images — attach a version when using FROM <image>.

    avoid-dnf-update

    Packages in base images should be up-to-date, removing the need for ‘dnf update’. If packages are out-of-date, consider contacting the base image maintainer.

    missing-apk-no-cache

    This apk command is missing ‘—no-cache’. This forces apk to use a package index instead of a local package cache, removing the need for ‘—update’ and the deletion of ‘/var/cache/apk/*’. Add ‘—no-cache’ to your apk command.

    missing-pip-no-cache-dir

    This ‘$PIP install’ is missing ‘—no-cache-dir’. This flag prevents package archives from being kept around, thereby reducing image size. Add ‘—no-cache-dir’.

    prefer-copy-over-add

    The ADD command will accept and include files from a URL and automatically extract archives. This potentially exposes the container to a man-in-the-middle attack or other attacks if a malicious actor can tamper with the source archive. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred.

    remove-package-lists

    The package lists were not deleted after running ‘apt-get update’, which increases the size of the image. Remove the package lists by appending ’&& rm -rf /var/lib/apt/lists/*’ at the end of apt-get command chain.

    remove-package-cache

    The package cache was not deleted after running ‘apt-get update’, which increases the size of the image. Remove the package cache by appending ’&& apt-get clean’ at the end of apt-get command chain.

    avoid-platform-with-from

    Using ‘—platform’ with FROM restricts the image to build on a single platform. Further, this must be the same as the build platform. If you intended to specify the target platform, use the utility ‘docker buildx —platform=’ instead.

    missing-zypper-clean

    This zypper command does not end with ’&& zypper clean’. Running ‘zypper clean’ will remove cached data and reduce package size. (This must be performed in the same RUN step.)

    avoid-latest-version

    Images should be tagged with an explicit version to produce deterministic container images. The ‘latest’ tag may change the base container without warning.

    prefer-apt-get

    ‘apt-get’ is preferred as an unattended tool for stability. ‘apt’ is discouraged.

    set-pipefail

    Only the exit code from the final command in this RUN instruction will be evaluated unless ‘pipefail’ is set. If you want to fail the command at any stage in the pipe, set ‘pipefail’ by including ‘SHELL [“/bin/bash”, “-o”, “pipefail”, “-c”] before the command. If you’re using alpine and don’t have bash installed, communicate this explicitly with SHELL ["/bin/ash"].

    avoid-yum-update

    Packages in base images should be up-to-date, removing the need for ‘yum update’. If packages are out-of-date, consider contacting the base image maintainer.

    maintainer-is-deprecated

    MAINTAINER has been deprecated.

    use-shell-instruction

    Use the SHELL instruction to set the default shell instead of overwriting ‘/bin/sh’.

    avoid-apt-get-upgrade

    Packages in base containers should be up-to-date, removing the need to upgrade or dist-upgrade. If a package is out of date, contact the maintainers.

    avoid-apk-upgrade

    Packages in base images should be up-to-date, removing the need for ‘apk upgrade’. If packages are out-of-date, consider contacting the base image maintainer.

    missing-no-install-recommends

    This ‘apt-get install’ is missing ‘—no-install-recommends’. This prevents unnecessary packages from being installed, thereby reducing image size. Add ‘—no-install-recommends’.

    use-workdir

    As recommended by Docker’s documentation, it is best to use ‘WORKDIR’ instead of ‘RUN cd …’ for improved clarity and reliability. Also, ‘RUN cd …’ may not work as expected in a container.

    missing-dnf-assume-yes-switch

    This ‘dnf install’ is missing the ‘-y’ switch. This might stall builds because it requires human intervention. Add the ‘-y’ switch.

    missing-yum-assume-yes-switch

    This ‘yum install’ is missing the ‘-y’ switch. This might stall builds because it requires human intervention. Add the ‘-y’ switch.

    AuditCorrectness
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.