--- title: Missing dnf clean all description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Missing dnf clean all --- # Missing dnf clean all {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `295acb63-9246-4b21-b441-7c1f1fb62dc0` **Cloud Provider:** Dockerfile **Platform:** Dockerfile **Severity:** Low **Category:** Best Practices #### Learn More{% #learn-more %} - [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) ### Description{% #description %} When Dockerfile `RUN` commands install packages with DNF and do not remove package caches, the resulting image retains package metadata and cached packages which increase image size and can broaden the attack surface or complicate vulnerability management. This rule checks Dockerfile `RUN` instructions: any `RUN` that contains a `dnf install` command (including variants such as `dnf in`, `dnf reinstall`, `dnf rei`, `dnf install-n`, `dnf install-na`, `dnf install-nevra`) must be followed by a `dnf clean all` invocation. The `dnf clean all` may appear in the same `RUN` (recommended, chained with `&&`) or in a subsequent `RUN` later in the Dockerfile. `RUN` commands that perform a dnf install but have no later `RUN` containing `dnf clean` will be flagged. Secure example with cleanup in the same `RUN`: ```gdscript3 FROM fedora:latest RUN dnf -y install my-package && dnf clean all && rm -rf /var/cache/dnf ``` ## Compliant Code Examples{% #compliant-code-examples %} ```dockerfile FROM fedora:27 RUN set -uex && \ dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ dnf install -vy docker-ce && \ dnf clean all HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 ``` ```dockerfile FROM golang:1.16 AS builder WORKDIR /go/src/github.com/foo/href-counter/ RUN go get -d -v golang.org/x/net/html COPY app.go ./ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o app . RUN set -uex && \ dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ dnf install -vy docker-ce FROM alpine:latest RUN apk --no-cache add ca-certificates WORKDIR /root/ COPY --from=builder /go/src/github.com/foo/href-counter/app ./ CMD ["./app"] RUN useradd -ms /bin/bash patrick USER patrick ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```dockerfile FROM fedora:27 RUN set -uex && \ dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo && \ sed -i 's/\$releasever/26/g' /etc/yum.repos.d/docker-ce.repo && \ dnf install -vy docker-ce HEALTHCHECK CMD curl --fail http://localhost:3000 || exit 1 ```