For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/dockerfile/shell_running_a_pipe_without_pipefail_flag.md. A documentation index is available at /llms.txt.

Shell running a pipe without the pipefail flag

This product is not supported for your selected Datadog site. ().

Metadata

Id: efbf148a-67e9-42d2-ac47-02fa1c0d0b22

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Insecure Defaults

Learn More

Description

Pipeline commands executed by POSIX shells must enable the pipefail option so that a failure in any stage of a pipeline makes the whole command fail. Without pipefail, earlier command failures can be masked and CI/build steps or image contents may be left in an inconsistent or insecure state.

This check targets Dockerfile-style instructions: RUN commands that invoke a shell (bash, zsh, ash, /bin/bash, /bin/zsh, /bin/ash) and contain a pipe character (|) must have pipefail enabled either via a preceding SHELL instruction that includes -o pipefail or by enabling it in the RUN command itself. Resources will be flagged when a RUN with a pipeline is present and there is no prior SHELL instruction with -o pipefail and the RUN does not explicitly enable pipefail. PowerShell-style commands are excluded. Fixes include setting a global shell with pipefail or prefixing pipeline commands with set -o pipefail (see examples below).

Secure configuration with a global SHELL in a Dockerfile:

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN command1 | command2

Secure inline option for a single RUN:

RUN set -o pipefail; command1 | command2

Compliant Code Examples

FROM node:12
RUN pwsh SOME_CMD | SOME_OTHER_CMD
SHELL [ "zsh", "-o","pipefail" ]
RUN zsh ./some_output | ./some_script
SHELL [ "/bin/bash", "-o","pipefail" ]
RUN [ "/bin/bash", "./some_output", "./some_script" ]

Non-Compliant Code Examples

FROM node:12
RUN zsh ./some_output | ./some_script
RUN [ "/bin/bash", "./some_output", "|", "./some_script" ]