---
title: Using --platform flag with FROM command
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Using --platform flag with FROM command
---

# Using --platform flag with FROM command

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `b16e8501-ef3c-44e1-a543-a093238099c9`

**Cloud Provider:** Dockerfile

**Platform:** Dockerfile

**Severity:** Low

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/engine/reference/builder/#from)

### Description{% #description %}

`FROM` instructions in Dockerfiles must not include the `--platform` flag. Overriding the target platform in the Dockerfile can cause builds to pull different, potentially unvetted or incompatible image variants, undermining image provenance, scanning, and supply-chain controls.

This rule checks `FROM` instructions and flags any use of the `--platform` flag. `FROM` lines should reference the intended image and tag without the `--platform` option. If a specific architecture is required, configure the build environment or manifest resolution outside the Dockerfile instead of embedding `--platform` in the instruction.

Secure example:

```dockerfile
FROM ubuntu:20.04
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
LABEL maintainer="SvenDowideit@home.org.au"
COPY requirements.txt /usr/src/app/
FROM baseimage as baseimage-build
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM alpine:3.5
RUN apk add --update py2-pip
RUN pip install --upgrade pip
LABEL maintainer="SvenDowideit@home.org.au"
COPY requirements.txt /usr/src/app/
FROM --platform=arm64 baseimage as baseimage-build
```