Missing dnf clean all

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: 295acb63-9246-4b21-b441-7c1f1fb62dc0

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Best Practices

Learn More

Description

When Dockerfile RUN commands install packages with DNF and do not remove package caches, the resulting image retains package metadata and cached packages which increase image size and can broaden the attack surface or complicate vulnerability management.

This rule checks Dockerfile RUN instructions: any RUN that contains a dnf install command (including variants such as dnf in, dnf reinstall, dnf rei, dnf install-n, dnf install-na, dnf install-nevra) must be followed by a dnf clean all invocation. The dnf clean all may appear in the same RUN (recommended, chained with &&) or in a subsequent RUN later in the Dockerfile. RUN commands that perform a dnf install but have no later RUN containing dnf clean will be flagged.

Secure example with cleanup in the same RUN:

FROM fedora:latest
RUN dnf -y install my-package && dnf clean all && rm -rf /var/cache/dnf

Compliant Code Examples

FROM fedora:27
RUN set -uex && \
    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
    sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \
    dnf install -vy docker-ce && \
    dnf clean all
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1

FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go    ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
RUN set -uex && \
    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
    sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \
    dnf install -vy docker-ce

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
RUN useradd -ms /bin/bash patrick

USER patrick

Non-Compliant Code Examples

FROM fedora:27
RUN set -uex && \
    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
    sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \
    dnf install -vy docker-ce
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1