---
title: Changing default shell using RUN command
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Changing default shell using RUN command
---

# Changing default shell using RUN command

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `8a301064-c291-4b20-adcb-403fe7fd95fd`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** Medium

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/engine/reference/builder/#shell)

### Description{% #description %}

Changing the image's default shell by running shell binaries or user-modifying commands in a `RUN` instruction instead of using the Dockerfile `SHELL` instruction can produce inconsistent build vs. runtime behavior and cause subsequent instructions to be interpreted under unexpected shell parsing rules. This increases the risk of misinterpreted commands or injection vulnerabilities.

This rule flags Dockerfile `RUN` instructions where the invoked command is `mv`, `chsh`, `usermod`, or `ln` and their arguments reference common shell paths (for example, `/bin/bash`, `/bin/sh`, `/usr/bin/zsh`). It also flags `RUN` invocations that call `powershell` directly. The intended default shell should be defined with the `SHELL` instruction.

Resources that attempt to edit `/etc/passwd`, symlink shell binaries, or invoke PowerShell via `RUN` will be flagged. For Windows images, the JSON-array form of `SHELL` is preferred to ensure proper argument handling.

Secure examples:

```Dockerfile
# Unix/Linux: set bash as the default shell for subsequent instructions
SHELL ["/bin/bash", "-lc"]
```

```Dockerfile
# Windows/PowerShell: set PowerShell as the default shell for subsequent instructions
SHELL ["powershell", "-Command"]
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["cmd", "/S", "/C"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["/bin/sh", "-c"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
SHELL ["/bin/bash", "-c"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
RUN powershell -command
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
RUN yum install
RUN ln -sfv /bin/bash /bin/sh
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]
```