For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile/apt_get_install_lists_were_not_deleted.md. A documentation index is available at /llms.txt.

apt-get install lists were not deleted

This product is not supported for your selected Datadog site. ().

Metadata

Id: df746b39-6564-4fed-bf85-e9c44382303c

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Supply-Chain

Learn More

Description

Leaving apt package lists in a built image after running apt-get install can expose package metadata and increase image size. This makes images larger to distribute and can retain information that aids attackers or troubleshooting of past package states.

This rule scans Dockerfile RUN instructions that invoke apt-get install and requires that the same RUN command perform cleanup by running apt-get clean and/or removing /var/lib/apt/lists/* (for example, rm -rf /var/lib/apt/lists/*). Ensure the cleanup step appears after the install in the same RUN (using && or ;) so the cache is not preserved in an earlier layer.

Secure example:

RUN apt-get update && apt-get install -y curl \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

Compliant Code Examples

FROM busyboxneg1
RUN apt-get update && apt-get install --no-install-recommends -y python \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

FROM busyboxneg2
RUN apt-get update && apt-get install --no-install-recommends -y python && apt-get clean

FROM busyboxneg3
RUN apt-get update && apt-get install --no-install-recommends -y python \
  && apt-get clean

FROM busyboxneg4
RUN apt-get update && apt-get install --no-install-recommends -y python \
  && rm -rf /var/lib/apt/lists/*

FROM busyboxneg5
RUN apt-get update; \
  apt-get install --no-install-recommends -y python; \
  apt-get clean; \
  rm -rf /var/lib/apt/lists/*

FROM busyboxneg6
RUN apt-get update; \
  apt-get install --no-install-recommends -y python; \
  apt-get clean

FROM busyboxneg7
RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends package=0.0.0; \
	rm -rf /var/lib/apt/lists/*

Non-Compliant Code Examples

FROM busybox5
RUN set -eux; \
	apt-get update; \
	apt-get install -y --no-install-recommends package=0.0.0

FROM busybox1
RUN apt-get update && apt-get install --no-install-recommends -y python

FROM busybox2
RUN apt-get install python

FROM busybox3
RUN apt-get update && apt-get install --no-install-recommends -y python
RUN rm -rf /var/lib/apt/lists/*

FROM busybox4
RUN apt-get update && apt-get install --no-install-recommends -y python
RUN rm -rf /var/lib/apt/lists/*
RUN apt-get clean