Use absolute paths or. use WORKDIR to switch directories

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Use absolute paths or. use WORKDIR to switch directories

Metadata

ID: docker-best-practices/use-absolute-paths

Language: Docker

Severity: Warning

Category: Best Practices

Description

This rule encourages the use of absolute paths or the WORKDIR instruction to change directories within Dockerfiles instead of chaining commands with cd. Using relative paths combined with cd in a single RUN instruction can lead to less readable and more error-prone code. It also makes it harder to track the current working directory during image builds.

To comply, either set the working directory explicitly using WORKDIR /path/to/directory before running commands or use absolute paths in instructions like RUN cp /source/file /destination/path. Avoid combining cd with other commands in a single RUN line, as this can cause unexpected behavior and complicate debugging.

Non-Compliant Code Examples

FROM busybox
RUN cd /usr/src/app && cp somedir/somefile ./someDirInUsrSrcApp/

FROM busybox
RUN cd /usr/src/app && git clone git@github.com:lukasmartinelli/hadolint.git

Compliant Code Examples

FROM busybox
RUN cp somedir/somefile /usr/src/app/someDirInUsrSrcApp/

FROM busybox
WORKDIR /usr/src/app
RUN git clone git@github.com:lukasmartinelli/hadolint.git

How to use this rule

1
2
rulesets:
  - docker-best-practices     # Rules to enforce Docker best practices.

Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines
Get feedback on your code

For more information, please read the Code Security documentation

VS Code Extension

Identify code vulnerabilities directly in your
VS Code editor

JetBrains Plugin

Identify code vulnerabilities directly in
JetBrains products