---
title: Multiple ENTRYPOINT instructions listed
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Multiple ENTRYPOINT instructions listed
---

# Multiple ENTRYPOINT instructions listed

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `dockerfile-multiple-entrypoint-instructions-listed` 

**Platform:** Dockerfile

**Severity:** Low

**Category:** Build Process

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/engine/reference/builder/#entrypoint)

### Description{% #description %}

Dockerfiles must contain at most one `ENTRYPOINT` because only the last `ENTRYPOINT` instruction is applied and any earlier `ENTRYPOINT` instructions are silently ignored. Multiple `ENTRYPOINT` instructions can cause intended initialization, security wrappers, or startup controls to be bypassed, which may result in containers running unintended processes or reduced security protections.

This rule flags Dockerfiles that include more than one `ENTRYPOINT` instruction. Ensure the Dockerfile has a single `ENTRYPOINT` (for example, have the `ENTRYPOINT` invoke a wrapper script that performs initialization and then execs the main process). Resources with multiple `ENTRYPOINT` lines will be flagged.

Secure example using a single `ENTRYPOINT`:

```dockerfile
FROM alpine:3.18
COPY start.sh /usr/local/bin/start.sh
ENTRYPOINT ["/usr/local/bin/start.sh"]
CMD ["--serve"]
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM golang:1.7.3
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ]

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=0 /go/src/github.com/foo/href-counter/app .
ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ]
```

```dockerfile
FROM golang:1.16 AS builder
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go    ./
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .
ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ]
ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ]

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=builder /go/src/github.com/foo/href-counter/app ./
CMD ["./app"]
RUN useradd -ms /bin/bash patrick

USER patrick
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM golang:1.7.3
WORKDIR /go/src/github.com/foo/href-counter/
RUN go get -d -v golang.org/x/net/html  
COPY app.go .
RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app .

FROM alpine:latest  
RUN apk --no-cache add ca-certificates
WORKDIR /root/
COPY --from=0 /go/src/github.com/foo/href-counter/app .
ENTRYPOINT [ "/opt/app/run.sh", "--port", "8080" ]
ENTRYPOINT [ "/opt/app/run.sh", "--port", "8000" ]
```