For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-missing-dnf-clean-all.md. A documentation index is available at /llms.txt.

Missing dnf clean all

This product is not supported for your selected Datadog site. ().

Metadata

Id: dockerfile-missing-dnf-clean-all

Platform: Dockerfile

Severity: Low

Category: Best Practices

Learn More

Description

When Dockerfile RUN commands install packages with DNF and do not remove package caches, the resulting image retains package metadata and cached packages which increase image size and can broaden the attack surface or complicate vulnerability management.

This rule checks Dockerfile RUN instructions: any RUN that contains a dnf install command (including variants such as dnf in, dnf reinstall, dnf rei, dnf install-n, dnf install-na, dnf install-nevra) must be followed by a dnf clean all invocation. The dnf clean all may appear in the same RUN (recommended, chained with &&) or in a subsequent RUN later in the Dockerfile. RUN commands that perform a dnf install but have no later RUN containing dnf clean will be flagged.

Secure example with cleanup in the same RUN:

FROM fedora:latest
RUN dnf -y install my-package && dnf clean all && rm -rf /var/cache/dnf

Compliant Code Examples

FROM fedora:27
RUN set -uex && \
    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
    sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \
    dnf install -vy docker-ce && \
    dnf clean all
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1

FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go    ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
RUN set -uex && \
    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
    sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \
    dnf install -vy docker-ce

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
RUN useradd -ms /bin/bash patrick

USER patrick

Non-Compliant Code Examples

FROM fedora:27
RUN set -uex && \
    dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \
    sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \
    dnf install -vy docker-ce
HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1