AWS CloudFormation Linter

Detected `$` on the left side of assignmentDOK-SC1066 Invalid case used for command/syntaxDOK-SC1081 Command does not make sense in a containerDOK-DL3001 User should not be `root` when the Dockerfile completesDOK-DL3002 Invalid UNIX port providedDOK-DL3011 Open string detectedDOK-SC1078 Wrong use of `... && ... ||` syntaxDOK-SC2015 Reference to an unassigned variable detectedDOK-SC2154 Missing space before `#`DOK-SC1099 Useless `cat` detectedDOK-SC2002 Pin versions in `gem install`DOK-DL3028 Unexpected `==` detectedDOK-SC1097 Pin image versions explicitly to a release tagDOK-DL3007 Pin versions in `pip`DOK-DL3013 Use the `-y` switchDOK-DL3014 `COPY --from` should reference a previously defined `FROM` aliasDOK-DL3022 `COPY --from` cannot reference its own `FROM` aliasDOK-DL3023 `FROM` aliases (stage names) must be uniqueDOK-DL3024 Multiple `ENTRYPOINT` instructions detectedDOK-DL4004 `eval` used with special charactersDOK-SC1098 Consider using `./` or `--` globDOK-SC2035 Detected use of `$` in the iterator name of a `for` loopDOK-SC1086 Pin specific version in `npm`DOK-DL3016 Use `COPY` instead of `ADD` for files and foldersDOK-DL3020 Unexpected character detectedDOK-SC1079 Use `ADD` to extract archives into an imageDOK-DL3010 Pin versions in `apk add`DOK-DL3018 Pin versions in `apt get install`DOK-DL3008 `COPY` with more than 2 arguments requires the last argument to end with `/`DOK-DL3021 Multiple `CMD` instructions detectedDOK-DL4003 Set the `SHELL` option `-o pipefail` before using `RUN` with a pipe characterDOK-DL4006 Missing spaceDOK-SC1035 Spaces detected around `=` in assignmentsDOK-SC1068 Consider using braces for expanding an arrayDOK-SC1087 Word detected outside the quotesDOK-SC2026 Detected use of escape sequences with `echo`DOK-SC2028 Possible globbing or word splitting detectedDOK-SC2086 Use `cd ... || exit` in case `cd` failsDOK-SC2164 Do not use `sudo`DOK-DL3004 Possible parameter declaration detectedDOK-SC1065 Declare and assign separately to avoid masking of return valuesDOK-SC2155 Avoid additional packages by specifying `--no-install-recommends`DOK-DL3015 Use arguments JSON notation for CMD and ENTRYPOINT argumentsDOK-DL3025 Use `SHELL` to change the default shellDOK-DL4005 Consider using quotes to prevent word splittingDOK-SC2046 Found reference to `ENV` var within the same stepDOK-E1000 Invalid `LABEL` keyDOK-E1001 Do not use `zypper dist-upgrade`DOK-W1011 `ONBUILD`, `FROM` or `MAINTAINER` triggered from within `ONBUILD` instructionDOK-E1002 Pin versions in `yum install`DOK-W1003 Pin versions in `zypper install`DOK-W1004 Pin versions in `dnf install`DOK-W1005 COPY to a relative destination without WORKDIR setDOK-W1006 Multiple `HEALTHCHECK` instructionsDOK-W1007 Use the `-y` switch for `yum install`DOK-W1008 Use the `-y` switch for `dnf install`DOK-W1009 Use the `-y` switch for `zypper install`DOK-W1010 Always tag the version of an image explicitlyDOK-DL3006 Use absolute `WORKDIR`DOK-DL3000 Use ` ` ` instead of `´` for command expansionDOK-SC1077 Use only an allowed registry in the FROM imageDOK-DL3026 Use `WORKDIR` to switch to a directoryDOK-DL3003 Use of `&;` detectedDOK-SC1045 Avoid cache directory with pip install --no-cache-dir <package>DOK-P1003 Missing `yarn cache clean` after `yarn install`DOK-P1005 Missing `yum clean all` after `yum install`DOK-P1000 Missing `zypper clean` after `zypper install`DOK-P1001 Missing `dnf clean all` after `dnf install` commandDOK-P1002 Found `useradd` without `-l` flagDOK-P1004 Do not use `--platform=` with `FROM`DOK-W1002 Unquoted literal string detectedDOK-SC2140 Delete the `apt-get` lists after installing anythingDOK-DL3009 Unicode non-breaking space detectedDOK-SC1018 `$` is not used specially and should therefore be escapedDOK-SC1000 Use of deprecated `MAINTAINER` fieldDOK-DL4000 Remove space after `=`DOK-SC1007 Missing space or linefeed between the function name and bodyDOK-SC1095 Do not use `apt`, use `apt-get` or `apt-cache` insteadDOK-DL3027 Use the `--no-cache` switchDOK-DL3019 Bad use of `{}`DOK-SC1083 Use any one of `wget` or `curl` but not bothDOK-DL4001 Use semicolon or linefeed before 'done'DOK-SC1010 No need of escape sequenceDOK-SC1001 Use `wget --progress` to avoid excessively bloated build logsDOK-W1000 Found consecutive `RUN` commandsDOK-W1001

DOK-DL3025

Use arguments JSON notation for CMD and ENTRYPOINT argumentsDOK-DL3025

Major

Bug Risk

When using the plain text version of passing arguments, signals from the OS are not correctly passed to the executables, which is in the majority of the cases what you would expect.

These points shall always be taken care of:

CMD should almost always be used in the form of CMD [“executable”, “param1”, “param2”…]
The shell form prevents any CMD or run command line arguments from being used, but has the disadvantage that your ENTRYPOINT will be started as a subcommand of /bin/sh -c, which does not pass signals. This means that the executable will not be the container’s PID 1 - and will not receive Unix signals - so your executable will not receive a SIGTERM from docker stop .

Read more about these best practices here.

Bad Practice

FROM debian:buster
ENTRYPOINT s3cmd

FROM debian:buster
CMD my-service server

Recommended

FROM debian:buster
CMD ["my-service", "server"]

Note

Docker CMD does not process $ENVIRONMENT_VARIABLEs, that’s a side-effect of using sh -c as the default entry-point. Using the JSON notation means that you have to figure out how to handle environment variables yourself.
The CMD exec form is parsed as a JSON array, so you MUST use double quotes (") instead of single quote ('). See https://docs.docker.com/v17.09/engine/reference/builder/#cmd for more info.