Dockerfile is void of any update instructions

docker

Classification:

compliance

Framework:

cis-docker

Control:

4.7

Set up the docker integration.

Description

You should not use OS package manager update instructions such as apt-get update or yum update either alone or in a single line in the Dockerfile.

Rationale

Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.

Audit

  1. Run this command to get the list of images: docker images
  2. Run this command against each image in the list above, looking for any update instructions which are incorporated in a single line: docker history <Image_ID>

Alternatively, if you have access to the Dockerfile for the image, you should verify that there are no update instructions configured as described above.

Remediation

You should use update instructions together with install instructions and version pinning for packages while installing them. This prevent caching and force the extraction of the required versions. Alternatively, you could use the --no-cache flag during the docker build process to avoid using cached layers.

Impact

None

Default value

By default, Docker does not enforce any restrictions on using update instructions.

References

  1. https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#run
  2. https://github.com/docker/docker/issues/3313

CIS controls

Version 6

18 Application Software Security Application Software Security