Missing flag from dnf install

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Missing flag from dnf install

Metadata

Id: dockerfile-missing-flag-from-dnf-install

Platform: Dockerfile

Severity: Low

Category: Supply-Chain

Learn More

Provider Reference

Description

DNF package installations in Dockerfile RUN instructions can prompt for interactive input. If the installer is run without a non-interactive flag, the build can hang or fail, disrupting automated CI/CD pipelines and encouraging unsafe manual interventions.

Check RUN commands that invoke DNF (for example, dnf install, dnf groupinstall, dnf localinstall, dnf reinstall, and short forms such as dnf in/dnf rei) and require the -y or --assumeyes switch to be present. RUN lines invoking these commands without -y/--assumeyes will be flagged. Use a non-interactive invocation such as:

RUN dnf -y install vim wget

Compliant Code Examples

FROM fedora:27
RUN set -uex && \
    dnf config-manager --set-enabled docker-ce-test && \
    dnf install -y docker-ce && \
    dnf clean all

FROM fedora:27
RUN set -uex; \
    dnf config-manager --set-enabled docker-ce-test; \
    dnf install -y docker-ce; \
    dnf clean all

FROM fedora:27
RUN microdnf install -y \
    openssl-libs-1:1.1.1k-6.el8_5.x86_64 \
    zlib-1.2.11-18.el8_5.x86_64 \
 && microdnf clean all

Non-Compliant Code Examples

FROM fedora:27
RUN set -uex && \
    dnf config-manager --set-enabled docker-ce-test && \
    dnf install docker-ce && \
    dnf clean all

FROM fedora:28
RUN set -uex
RUN dnf config-manager --set-enabled docker-ce-test
RUN dnf in docker-ce
RUN dnf clean all

FROM fedora:27
RUN set -uex; \
    dnf config-manager --set-enabled docker-ce-test; \
    dnf install docker-ce; \
    dnf clean all

FROM fedora:28
RUN set -uex
RUN dnf config-manager --set-enabled docker-ce-test
RUN dnf in docker-ce
RUN dnf clean all