For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-run-command-cd-instead-of-workdir.md.
A documentation index is available at /llms.txt.
Using relative paths with cd inside Dockerfile RUN instructions is fragile and can cause commands to execute in unintended directories, producing nondeterministic builds, accidental inclusion of build-context files, or incorrect file ownership and permissions that may expose sensitive data.
This rule inspects Dockerfile RUN instruction command strings and flags occurrences of cd <path> where <path> is not an absolute path (does not start with / or a Windows drive letter like C:\). Instead of changing directories with a relative cd, set the working directory with WORKDIR /absolute/path for subsequent instructions or use absolute paths in single RUN calls. Directory changes performed only within one RUN do not persist across layers and are error-prone.
