yum install allows manual input

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > yum install allows manual input

Metadata

Id: 6e19193a-8753-436d-8a09-76dcff91bb03

Cloud Provider: Dockerfile

Platform: Dockerfile

Severity: Low

Category: Supply-Chain

Learn More

Provider Reference

Description

RUN instructions that invoke yum install without a non-interactive flag can prompt for user input during image builds, causing automated CI/CD pipelines to hang or produce inconsistent images when builds are completed manually.

Check Dockerfile RUN commands for invocations of yum install (including groupinstall or localinstall). The command must include a non-interactive flag such as -y, yes, or --assumeyes. This rule flags RUN entries where a yum install is detected but none of those flags are present. It applies to both single-string RUN commands and list-form RUN arguments.

Secure example:

RUN yum -y install curl

Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install -y bundler
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]

Non-Compliant Code Examples

FROM alpine:3.5
RUN apk add --update py2-pip
RUN sudo yum install bundler
RUN ["sudo yum", "install", "bundler"]
COPY requirements.txt /usr/src/app/
RUN pip install --no-cache-dir -r /usr/src/app/requirements.txt
COPY app.py /usr/src/app/
COPY templates/index.html /usr/src/app/templates/
EXPOSE 5000
CMD ["python", "/usr/src/app/app.py"]