For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile-update-instruction-alone.md. A documentation index is available at /llms.txt.

Package update without install in same RUN

This product is not supported for your selected Datadog site. ().

Metadata

Id: dockerfile-update-instruction-alone

Platform: Dockerfile

Severity: Low

Category: Build Process

Learn More

Description

Separating a package index update from the package installation across multiple Dockerfile RUN instructions can cause builds to use cached layers and install packages from stale indexes. This increases the risk of including outdated or vulnerable package versions in the image.

This check examines Dockerfile RUN commands (resources where Cmd == "run" and Value contains the command string) and verifies that when a package-manager updater is invoked (examples: apt-get update, apt update, apk update, yum update, dnf update, zypper refresh, pacman -Syu) it is followed in the same RUN statement by the corresponding installer command (for example, apt-get install/apt install, apk add, yum install, dnf install, zypper install, and pacman -S). Resources that run an update without an install in the same RUN, or that place the install in a later RUN instruction, will be flagged.

Secure examples that combine update and install in one RUN:

RUN apt-get update && apt-get install -y --no-install-recommends package1 package2 && rm -rf /var/lib/apt/lists/*

RUN apk update && apk add --no-cache package1 package2

Compliant Code Examples

FROM ubuntu:18.04
RUN apt-get update \
    && apt-get install -y --no-install-recommends mysql-client \
    && rm -rf /var/lib/apt/lists/*
RUN apk update \
    && apk add --no-cache git ca-certificates
RUN apk --update add easy-rsa
ENTRYPOINT ["mysql"]

FROM alpine:latest
RUN apk update && apk add nginx
RUN apk --update-cache add vim
RUN apk -U add nano

CMD ["nginx", "-g", "daemon off;"]

FROM alpine:latest
RUN apk --update add nginx
RUN apk add --update nginx

CMD ["nginx", "-g", "daemon off;"]

Non-Compliant Code Examples

FROM alpine:latest
RUN apk update
RUN apk add nginx

CMD ["nginx", "-g", "daemon off;"]

FROM opensuse:latest
RUN zypper refresh
RUN zypper install nginx

CMD ["nginx", "-g", "daemon off;"]

FROM debian:latest
RUN apt update
RUN apt install nginx

CMD ["nginx", "-g", "daemon off;"]