Update instructions are used alone in a Dockerfile
Description
This rule detects whether OS package manager update instructions, such as apt-get update or yum update, are used alone within Dockerfiles. Using update instructions alone, or in a single line, causes the update layer to be cached. This can lead to stale updates being used in subsequent builds, preventing necessary updates from being applied and potentially introducing vulnerabilities. Therefore, we recommend that update instructions should always be combined with package installation commands in the same RUN instruction.
Code Example
dockerfile
- RUN apt-get update
+ RUN apt-get update && apt-get install -y <package-name>Remediation
Docker
To mitigate this issue, combine the update commands with install commands in a single RUN instruction. This ensures that the package list is updated and packages are installed in the same layer.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0838 |
| Severity | LOW |
| IaC Type | dockerfile |
| Frameworks | Docker |
| Checkov ID | CKV_DOCKER_5 |