For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-run-yarn-clean-after-yarn-install.md.
A documentation index is available at /llms.txt.
Dockerfiles that run yarn install must remove the Yarn package cache afterward, because leftover cache files increase image size and may retain build-time artifacts in image layers, expanding the attack surface.
This rule inspects Dockerfile RUN instructions (resource type dockerfile_container) and flags cases where a RUN executes yarn install without a corresponding yarn cache clean.
To remediate, chain the cleanup in the same RUN instruction (for example, RUN yarn install && yarn cache clean) so the cache is removed within the same layer. Running yarn cache clean in a later RUN may not eliminate cache files stored in earlier layers.
Secure example:
RUN yarn install --production && yarn cache clean --force
Compliant Code Examples
FROMnode:18-alpineASbuilderLABELmaintainer="frontend-team@example.com"LABELdescription="Vue.js application builder with proper cache cleanup"# Install system dependencies for node-gypRUN apk add --no-cache \
python3 \
make \
g++ \
gitWORKDIR/build# Set yarn configuration for optimal performanceRUN yarn config set network-timeout 300000# Copy package files for dependency installationCOPY package.json yarn.lock ./# Negative case 1: yarn install with cache clean (reduces image size)RUN yarn install \
&& yarn cache clean# Copy application source codeCOPY . .# Run lintingRUN yarn lint# Build the application for productionRUN yarn build# Production stageFROMnginx:1.25-alpineLABELmaintainer="frontend-team@example.com"LABELdescription="Production Vue.js application with Nginx"LABELversion="2.1.0"# Install curl for health checksRUN apk add --no-cache curl# Copy built application from builderCOPY --from=builder /build/dist /usr/share/nginx/html# Copy custom nginx configurationCOPY nginx.conf /etc/nginx/nginx.confCOPY default.conf /etc/nginx/conf.d/default.conf# Create cache directory with proper permissionsRUN mkdir -p /var/cache/nginx &&\
chown -R nginx:nginx /var/cache/nginx &&\
chmod -R 755 /var/cache/nginx# Negative case 2.1: yarn install with cache clean (reduces image size)RUN yarn install# Remove default nginx configRUN rm -f /etc/nginx/conf.d/default.conf.dpkg-dist# Negative case 2.2: yarn install with cache clean (reduces image size)RUN yarn cache clean# Set proper permissionsRUN chown -R nginx:nginx /usr/share/nginx/html# Expose HTTP portEXPOSE80# Health check for the applicationHEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3\
CMD curl -f http://localhost/health ||exit1# Switch to non-root userUSERnginx# Start nginxCMD["nginx","-g","daemon off;"]
Non-Compliant Code Examples
FROMnode:18-alpineASbuilderLABELmaintainer="frontend-team@example.com"LABELdescription="React application builder without cache cleanup"# Install system dependenciesRUN apk add --no-cache \
python3 \
make \
g++WORKDIR/build# Copy package filesCOPY package.json yarn.lock ./# Positive case: yarn install without cache clean (leaves cache, increases image size)RUN yarn install# Copy application sourceCOPY . .# Build the applicationRUN yarn build# Production stageFROMnode:18-alpineLABELmaintainer="frontend-team@example.com"LABELdescription="Production React application"# Install serve to run the static siteRUN apk add --no-cache curl &&\
yarn global add serveWORKDIR/app# Copy built application from builderCOPY --from=builder /build/dist ./dist# Create application userRUN addgroup -g 1001 nodeapp &&\
adduser -D -u 1001 -G nodeapp nodeapp &&\
chown -R nodeapp:nodeapp /app# Set environment variablesENVNODE_ENV=production \
PORT=3000# Expose application portEXPOSE3000USERnodeappCMD["serve","-s","dist","-l","3000"]
1
2
rulesets:- Dockerfile # Rules to enforce .
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
