For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-unpinned-package-version-in-apk-add.md. A documentation index is available at /llms.txt.

Unpinned package version in apk add

This product is not supported for your selected Datadog site. ().

Metadata

Id: dockerfile-unpinned-package-version-in-apk-add

Platform: Dockerfile

Severity: Medium

Category: Supply-Chain

Learn More

Description

Alpine packages installed in Dockerfile RUN instructions should be version-pinned to prevent supply-chain risks and ensure reproducible builds. Unpinned packages can pull in newer, potentially vulnerable or incompatible versions on rebuilds.

This rule inspects Dockerfile RUN instructions that invoke apk add and requires each package token to use the pinning form package=version. Flags such as --virtual, -t, and short options like -v are ignored when identifying package names. Alphabetic tokens following apk add that are not option flags and do not include =version will be flagged.

Resources with packages like apk add curl (no version) will be reported. Update RUN lines to pin package versions.

Secure example:

RUN apk add --no-cache ca-certificates=20210512 curl=7.79.1

Compliant Code Examples

FROM alpine:3.4
RUN apk add --update py-pip=7.1.2-r0
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.1
RUN apk add py-pip=7.1.2-r0
RUN ["apk", "add", "py-pip=7.1.2-r0"]
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.4
RUN apk add --update py-pip=7.1.2-r0
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.1
RUN apk add --virtual .test py-pip=7.1.2-r0
RUN apk --quiet --update --no-cache add libstdc++==11.2.1_git20220219-r2
RUN ["apk", "add", "--virtual .test", "py-pip=7.1.2-r0"]
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

Non-Compliant Code Examples

FROM alpine:3.9
RUN apk add --update py-pip
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
ENV TEST="test"
CMD ["python", "/usr/src/app/app.py"]

FROM alpine:3.7
RUN apk add py-pip && apk add tea
RUN apk add py-pip \
    && rm -rf /tmp/*
RUN apk add --dir /dir libimagequant \
    && minidlna
RUN ["apk", "add", "py-pip"]
RUN sudo pip install --upgrade pip
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python"]