--- title: Package update without install in same RUN description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Package update without install in same RUN --- # Package update without install in same RUN {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `dockerfile-update-instruction-alone` **Platform:** Dockerfile **Severity:** Low **Category:** Build Process #### Learn More{% #learn-more %} - [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) ### Description{% #description %} Separating a package index update from the package installation across multiple Dockerfile `RUN` instructions can cause builds to use cached layers and install packages from stale indexes. This increases the risk of including outdated or vulnerable package versions in the image. This check examines Dockerfile `RUN` commands (resources where `Cmd == "run"` and `Value` contains the command string) and verifies that when a package-manager updater is invoked (examples: `apt-get update`, `apt update`, `apk update`, `yum update`, `dnf update`, `zypper refresh`, `pacman -Syu`) it is followed in the same `RUN` statement by the corresponding installer command (for example, `apt-get install`/`apt install`, `apk add`, `yum install`, `dnf install`, `zypper install`, and `pacman -S`). Resources that run an update without an install in the same `RUN`, or that place the install in a later `RUN` instruction, will be flagged. Secure examples that combine update and install in one `RUN`: ```dockerfile RUN apt-get update && apt-get install -y --no-install-recommends package1 package2 && rm -rf /var/lib/apt/lists/* ``` ```dockerfile RUN apk update && apk add --no-cache package1 package2 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```dockerfile FROM ubuntu:18.04 RUN apt-get update \ && apt-get install -y --no-install-recommends mysql-client \ && rm -rf /var/lib/apt/lists/* RUN apk update \ && apk add --no-cache git ca-certificates RUN apk --update add easy-rsa ENTRYPOINT ["mysql"] ``` ```dockerfile FROM alpine:latest RUN apk update && apk add nginx RUN apk --update-cache add vim RUN apk -U add nano CMD ["nginx", "-g", "daemon off;"] ``` ```dockerfile FROM alpine:latest RUN apk --update add nginx RUN apk add --update nginx CMD ["nginx", "-g", "daemon off;"] ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```dockerfile FROM alpine:latest RUN apk update RUN apk add nginx CMD ["nginx", "-g", "daemon off;"] ``` ```dockerfile FROM opensuse:latest RUN zypper refresh RUN zypper install nginx CMD ["nginx", "-g", "daemon off;"] ``` ```dockerfile FROM debian:latest RUN apt update RUN apt install nginx CMD ["nginx", "-g", "daemon off;"] ```