--- title: Package update without install in same RUN description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Package update without install in same RUN --- # Package update without install in same RUN {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `9bae49be-0aa3-4de5-bab2-4c3a069e40cd` **Cloud Provider:** Dockerfile **Platform:** Dockerfile **Severity:** Low **Category:** Build Process #### Learn More{% #learn-more %} - [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run) ### Description{% #description %} Separating a package index update from the package installation across multiple Dockerfile `RUN` instructions can cause builds to use cached layers and install packages from stale indexes. This increases the risk of including outdated or vulnerable package versions in the image. This check examines Dockerfile `RUN` commands (resources where `Cmd == "run"` and `Value` contains the command string) and verifies that when a package-manager updater is invoked (examples: `apt-get update`, `apt update`, `apk update`, `yum update`, `dnf update`, `zypper refresh`, `pacman -Syu`) it is followed in the same `RUN` statement by the corresponding installer command (for example, `apt-get install`/`apt install`, `apk add`, `yum install`, `dnf install`, `zypper install`, and `pacman -S`). Resources that run an update without an install in the same `RUN`, or that place the install in a later `RUN` instruction, will be flagged. Secure examples that combine update and install in one `RUN`: ```dockerfile RUN apt-get update && apt-get install -y --no-install-recommends package1 package2 && rm -rf /var/lib/apt/lists/* ``` ```dockerfile RUN apk update && apk add --no-cache package1 package2 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```dockerfile FROM ubuntu:18.04 RUN apt-get update && apt-get install -y --no-install-recommends mysql-client \ && rm -rf /var/lib/apt/lists/* RUN apk update ENTRYPOINT ["mysql"] ``` ```dockerfile FROM centos:latest RUN yum update && yum install nginx CMD ["nginx", "-g", "daemon off;"] ``` ```dockerfile FROM ubuntu:18.04 RUN apt-get update && apt-get install -y netcat \ apt-get update && apt-get install -y supervisor ENTRYPOINT ["mysql"] ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```dockerfile FROM fedora:latest RUN dnf update RUN dnf install nginx CMD ["nginx", "-g", "daemon off;"] ``` ```dockerfile FROM opensuse:latest RUN zypper refresh RUN zypper install nginx CMD ["nginx", "-g", "daemon off;"] ``` ```dockerfile FROM ubuntu:18.04 RUN apt-get update RUN apt-get install -y --no-install-recommends mysql-client \ && rm -rf /var/lib/apt/lists/* RUN apk update ENTRYPOINT ["mysql"] ```