For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-changing-default-shell-using-run-command.md. A documentation index is available at /llms.txt.

Changing default shell using RUN command

This product is not supported for your selected Datadog site. ().

Metadata

Id: dockerfile-changing-default-shell-using-run-command

Platform: Dockerfile

Severity: Medium

Category: Best Practices

Learn More

Description

Changing the image’s default shell by running shell binaries or user-modifying commands in a RUN instruction instead of using the Dockerfile SHELL instruction can produce inconsistent build vs. runtime behavior and cause subsequent instructions to be interpreted under unexpected shell parsing rules. This increases the risk of misinterpreted commands or injection vulnerabilities.

This rule flags Dockerfile RUN instructions where the invoked command is mv, chsh, usermod, or ln and their arguments reference common shell paths (for example, /bin/bash, /bin/sh, /usr/bin/zsh). It also flags RUN invocations that call powershell directly. The intended default shell should be defined with the SHELL instruction.

Resources that attempt to edit /etc/passwd, symlink shell binaries, or invoke PowerShell via RUN will be flagged. For Windows images, the JSON-array form of SHELL is preferred to ensure proper argument handling.

Secure examples:

# Unix/Linux: set bash as the default shell for subsequent instructions
SHELL ["/bin/bash", "-lc"]

# Windows/PowerShell: set PowerShell as the default shell for subsequent instructions
SHELL ["powershell", "-Command"]

Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["/bin/bash", "-c"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["cmd", "/S", "/C"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["powershell", "-command"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

Non-Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
RUN ln -sfv /bin/bash /bin/sh
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
RUN powershell -command
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]