Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageDetected `$` on the left side of assignmentDOK-SC1066Invalid case used for command/syntaxDOK-SC1081Command does not make sense in a containerDOK-DL3001User should not be `root` when the Dockerfile completesDOK-DL3002Invalid UNIX port providedDOK-DL3011Open string detectedDOK-SC1078Wrong use of `... && ... ||` syntaxDOK-SC2015Reference to an unassigned variable detectedDOK-SC2154Missing space before `#`DOK-SC1099Useless `cat` detectedDOK-SC2002Pin versions in `gem install`DOK-DL3028Unexpected `==` detectedDOK-SC1097Pin image versions explicitly to a release tagDOK-DL3007Pin versions in `pip`DOK-DL3013Use the `-y` switchDOK-DL3014`COPY --from` should reference a previously defined `FROM` aliasDOK-DL3022`COPY --from` cannot reference its own `FROM` aliasDOK-DL3023`FROM` aliases (stage names) must be uniqueDOK-DL3024Multiple `ENTRYPOINT` instructions detectedDOK-DL4004`eval` used with special charactersDOK-SC1098Consider using `./` or `--` globDOK-SC2035Detected use of `$` in the iterator name of a `for` loopDOK-SC1086Pin specific version in `npm`DOK-DL3016Use `COPY` instead of `ADD` for files and foldersDOK-DL3020Unexpected character detectedDOK-SC1079Use `ADD` to extract archives into an imageDOK-DL3010Pin versions in `apk add`DOK-DL3018Pin versions in `apt get install`DOK-DL3008`COPY` with more than 2 arguments requires the last argument to end with `/`DOK-DL3021Multiple `CMD` instructions detectedDOK-DL4003Set the `SHELL` option `-o pipefail` before using `RUN` with a pipe characterDOK-DL4006Missing spaceDOK-SC1035Spaces detected around `=` in assignmentsDOK-SC1068Consider using braces for expanding an arrayDOK-SC1087Word detected outside the quotesDOK-SC2026Detected use of escape sequences with `echo`DOK-SC2028Possible globbing or word splitting detectedDOK-SC2086Use `cd ... || exit` in case `cd` failsDOK-SC2164Do not use `sudo`DOK-DL3004Possible parameter declaration detectedDOK-SC1065Declare and assign separately to avoid masking of return valuesDOK-SC2155Avoid additional packages by specifying `--no-install-recommends`DOK-DL3015Use arguments JSON notation for CMD and ENTRYPOINT argumentsDOK-DL3025Use `SHELL` to change the default shellDOK-DL4005Consider using quotes to prevent word splittingDOK-SC2046Found reference to `ENV` var within the same stepDOK-E1000Invalid `LABEL` keyDOK-E1001Do not use `zypper dist-upgrade`DOK-W1011`ONBUILD`, `FROM` or `MAINTAINER` triggered from within `ONBUILD` instructionDOK-E1002Pin versions in `yum install`DOK-W1003Pin versions in `zypper install`DOK-W1004Pin versions in `dnf install`DOK-W1005COPY to a relative destination without WORKDIR setDOK-W1006Multiple `HEALTHCHECK` instructionsDOK-W1007Use the `-y` switch for `yum install`DOK-W1008Use the `-y` switch for `dnf install`DOK-W1009Use the `-y` switch for `zypper install`DOK-W1010Always tag the version of an image explicitlyDOK-DL3006Use absolute `WORKDIR`DOK-DL3000Use ` ` ` instead of `´` for command expansionDOK-SC1077Use only an allowed registry in the FROM imageDOK-DL3026Use `WORKDIR` to switch to a directoryDOK-DL3003Use of `&;` detectedDOK-SC1045Avoid cache directory with pip install --no-cache-dir <package>DOK-P1003Missing `yarn cache clean` after `yarn install`DOK-P1005Missing `yum clean all` after `yum install`DOK-P1000Missing `zypper clean` after `zypper install`DOK-P1001Missing `dnf clean all` after `dnf install` commandDOK-P1002Found `useradd` without `-l` flagDOK-P1004Do not use `--platform=` with `FROM`DOK-W1002Unquoted literal string detectedDOK-SC2140Delete the `apt-get` lists after installing anythingDOK-DL3009Unicode non-breaking space detectedDOK-SC1018`$` is not used specially and should therefore be escapedDOK-SC1000Use of deprecated `MAINTAINER` fieldDOK-DL4000Remove space after `=`DOK-SC1007Missing space or linefeed between the function name and bodyDOK-SC1095Do not use `apt`, use `apt-get` or `apt-cache` insteadDOK-DL3027Use the `--no-cache` switchDOK-DL3019Bad use of `{}`DOK-SC1083Use any one of `wget` or `curl` but not bothDOK-DL4001Use semicolon or linefeed before 'done'DOK-SC1010No need of escape sequenceDOK-SC1001Use `wget --progress` to avoid excessively bloated build logsDOK-W1000Found consecutive `RUN` commandsDOK-W1001
Set the `SHELL` option `-o pipefail` before using `RUN` with a pipe characterDOK-DL4006
Major
Bug RiskSome RUN commands depend on the ability to pipe the output of one command into another, using the pipe character (|), as in the following example:
RUN wget -O - https://some.site | wc -l > /number
Docker executes these commands using the /bin/sh -c interpreter, which only evaluates the exit code of the last operation in the pipe to determine success.
In the example above this build step succeeds and produces a new image so long as the wc -l command succeeds, even if the wget command fails.
If you want the command to fail due to an error at any stage in the pipe, prepend set -o pipefail && to ensure that an unexpected error prevents the build from inadvertently succeeding.
Since there are some shells that do not accept the -o pipefail option, it is not enough to add set -o pipefail inside the RUN instruction.
Therefore, we recommend to always explicitly set the SHELL before using pipes in RUN.
You can read more about best practices of using pipes here.
Bad Practice
RUN wget -O - https://some.site | wc -l > /number
Recommended
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number
Or in case of busybox in an Alpine image:
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number