RUN update’ instruction alone
| Property | |
|---|---|
| Language |  |
| Severity |  |
| Vulnerability Type | omission |
Description#
Using ‘RUN update’ alone in a Dockerfile leaves the package index updated without immediately installing packages, allowing cached layers to serve outdated or vulnerable packages in subsequent builds. The update and install commands should be combined in a single RUN statement to ensure consistency and security.
Impact#
Separating update and install steps can result in outdated or insecure packages being installed if the Docker image is rebuilt, as the package list may become stale. This increases the risk of deploying containers with unpatched vulnerabilities, potentially exposing the application to exploits and compromising system integrity.
Resolution#
Combine ‘ update’ and ‘ install’ instructions to single one