- D0:avoid-add-external
- D2:single-cmd
- D3:avoid-copy-all
- D5:no-debian-frontend
- D5:secret-aws-access-key
- D5:secret-aws-secret-access-key
- D6:questionable-expose
- D7:tagged-latest
- D7:tagged-latest-builder
- D9:formatting-labels
- D9:oci-labels
- D9:reserved-labels
- DA:maintainer-deprecated
- DC:apt-get-update-install
- DC:avoid-sudo
- DC:consider-multistage
- DC:curl-without-fail
- DC:gpg-without-batch
- DC:layered-ownership-change
- DC:minimize-layers
- DC:sort-installer-args
- DF:named-user
Avoid using ADD with external files or archives. Use COPY instead.
The ADD command supports pulling files over HTTP(s), and auto-extracts some archives. Docker's own best practices strongly encourage using COPY of a local file.
Priority: Critical
Analyzes: ADD
Only a single CMD instruction is supported
More than one CMD may indicate a programming error. Docker will run the last CMD instruction only, but this could be a security concern.
Priority: Critical
Analyzes: CMD
Avoid copying entire source directory into image
Explicitly copying sources helps avoid accidentally persisting secrets or other files that should not be shared.
Priority: High
Analyzes: COPY
Convert DEBIAN_FRONTEND to an ARG.
Avoid DEBIAN_FRONTEND, which affects derived images and docker run. Change this to an ARG.
This rule matches against the pattern \bDEBIAN_FRONTEND\b
Priority: Critical
Analyzes: ENV
Secrets shouldn't be hard-coded. You should remove and rotate any secrets.
This rule matches against the pattern \bAK[A-Z0-9]{18}\b
Priority: Critical
Analyzes: ENV
Secrets shouldn't be hard-coded. You should remove and rotate any secrets.
This rule matches against the pattern \b[A-Za-z0-9/+=]{40}\b
Priority: Critical
Analyzes: ENV
Avoid documenting EXPOSE with sensitive ports
The EXPOSE command is metadata and does not actually open ports. Documenting the intention to expose sensitive ports poses a security concern.
Priority: Low
Analyzes: EXPOSE
Avoid using images tagged as Latest in production builds
Docker best practices suggest avoiding latest images in production builds
Priority: High
Analyzes: FROM
Avoid using images tagged as Latest in builder stages
Using latest images in builders is not recommended (builds are not repeatable).
Priority: Low
Analyzes: FROM
Label keys should be formatted correctly.
Label keys should begin and end with a lower-case letter and should only contain lower-case alphanumeric characters, the period character (.), and the hyphen character (-). Consecutive periods or hyphens are not allowed.
Priority: High
Analyzes: LABEL
Consider using common annotations defined by Open Containers Initiative
Open Containers Initiative defines a common set of annotations which expose as labels on containers
Priority: Medium
Analyzes: LABEL
You can't define labels which are reserved by docker.
Docker reserves the following namespaces in labels: com.docker.*, io.docker.*, and org.dockerproject.*.
Priority: Critical
Analyzes: LABEL
MAINTAINER is deprecated
MAINTAINER instruction is deprecated; Use LABEL instead, which can be queried via docker inspect.
This rule matches against the pattern [[:graph:]]+
Priority: Low
Analyzes: MAINTAINER
You must perform apt-get update and install in same RUN layer
Having apt-get update and install in separate RUN layers will break caching. Having install without update is not recommended. Include both commands in the same layer.
Priority: Critical
Analyzes: RUN
Avoid running root elevation tasks like sudo/su
Non-root users should avoid having sudo access in containers, as it has unpredictable TTY and signal-forwarding behavior that can cause problems. Consider using gosu instead.
Priority: Medium
Analyzes: RUN
Consider using multi-stage builds for complex operations like building code.
A multi-stage build can reduce the final image size by building necessary components or downloading large archives in a separate build context. This can help keep your final image lean.
Priority: Low
Analyzes: RUNFROM
Avoid using curl without the silent failing option -f/--fail
Invoking curl without -f/--fail may result in incorrect, missing or stale data, which is a security concern. Ignore this rule only if you're handling server errors or verifying file contents separately.
Priority: Critical
Analyzes: RUN
GPG call without --batch (or --no-tty) may error.
Running GPG without --batch (or --no-tty) may cause GPG to fail opening /dev/tty, resulting in docker build failures.
Priority: Medium
Analyzes: RUN
Change ownership in the same layer as file operation (RUN or COPY)
In AUFS, ownership defined in an earlier layer can not be overridden by a broader mask in a later layer.
This rule matches against the pattern [^ch(own|mod)\b]
Priority: Medium
Analyzes: RUN
Try to minimize the number of layers which increase image size
RUN, ADD, and COPY create new layers which may increase the size of the final image. Consider condensing these to fewer than 7 combined layers or use multi-stage builds where possible.
Priority: Low
Analyzes: RUNADDCOPY
Sort installed packages for package managers: apt-get, apk, npm, etc.
Sorting installed packages alphabetically prevents duplicates and simplifies maintainability.
Priority: Low
Analyzes: RUN
Reference a user by name rather than UID.
Reference a user by name to avoid maintenance or runtime issues with generated IDs.