--- title: RUN instruction using cd instead of WORKDIR description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > RUN instruction using cd instead of WORKDIR --- # RUN instruction using cd instead of WORKDIR {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `dockerfile-run-command-cd-instead-of-workdir` **Platform:** Dockerfile **Severity:** Low **Category:** Build Process #### Learn More{% #learn-more %} - [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir) ### Description{% #description %} Using relative paths with `cd` inside Dockerfile `RUN` instructions is fragile and can cause commands to execute in unintended directories, producing nondeterministic builds, accidental inclusion of build-context files, or incorrect file ownership and permissions that may expose sensitive data. This rule inspects Dockerfile `RUN` instruction command strings and flags occurrences of `cd ` where `` is not an absolute path (does not start with `/` or a Windows drive letter like `C:\`). Instead of changing directories with a relative `cd`, set the working directory with `WORKDIR /absolute/path` for subsequent instructions or use absolute paths in single `RUN` calls. Directory changes performed only within one `RUN` do not persist across layers and are error-prone. Secure example using `WORKDIR`: ```dockerfile FROM ubuntu:22.04 WORKDIR /app COPY . . RUN make build ``` ## Compliant Code Examples{% #compliant-code-examples %} ```dockerfile FROM nginx ENV AUTHOR=Docker WORKDIR /usr/share/nginx/html COPY Hello_docker.html /usr/share/nginx/html CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' ``` ```dockerfile FROM nginx ENV AUTHOR=Docker RUN cd /usr/share/nginx/html COPY Hello_docker.html /usr/share/nginx/html CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```dockerfile FROM nginx ENV AUTHOR=Docker RUN cd /../share/nginx/html COPY Hello_docker.html /usr/share/nginx/html CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' FROM nginx ENV AUTHOR=Docker RUN cd ../share/nginx/html COPY Hello_docker.html /usr/share/nginx/html CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' FROM nginx ENV AUTHOR=Docker RUN cd /usr/../share/nginx/html COPY Hello_docker.html /usr/share/nginx/html CMD cd /usr/share/nginx/html && sed -e s/Docker/"$AUTHOR"/ Hello_docker.html > index.html ; nginx -g 'daemon off;' ```