---
title: pip install keeping cached packages
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > pip install keeping cached packages
---

# pip install keeping cached packages

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `f2f903fb-b977-461e-98d7-b3e2185c6118`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** Low

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)

### Description{% #description %}

Dockerfile `RUN` instructions that invoke `pip` or `pip3` should include the `--no-cache-dir` flag to prevent pip from leaving downloaded package caches in image layers. This increases image size and can retain unnecessary artifacts that broaden the attack surface and complicate image hygiene.

This rule inspects Dockerfile `RUN` commands and flags any `RUN` that calls `pip` or `pip3` with an `install` subcommand but does not include `--no-cache-dir`. Both shell-form and exec-form `RUN` entries are checked. Resources missing the flag or using `pip`/`pip3 install` without `--no-cache-dir` will be reported.

Secure example:

```dockerfile
RUN pip install --no-cache-dir -r requirements.txt
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM python:3
RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir nibabel pydicom matplotlib pillow && \
    pip install --no-cache-dir med2image
RUN pip3 install --no-cache-dir requests=2.7.0
RUN ["pip3", "install", "requests=2.7.0", "--no-cache-dir"]
CMD ["cat", "/etc/os-release"]
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM python:3
RUN pip install --upgrade pip && \
    pip install nibabel pydicom matplotlib pillow && \
    pip install med2image
CMD ["cat", "/etc/os-release"]

FROM python:3.1
RUN pip install --upgrade pip
RUN python -m pip install nibabel pydicom matplotlib pillow
RUN pip3 install requests=2.7.0
RUN ["pip3", "install", "requests=2.7.0"]
CMD ["cat", "/etc/os-release"]
```