Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Docker static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Installing unnecessary packages is security-sensitive

Security Hotspot

MinorSonarSource default severity
click to learn more

Installing unnecessary dependencies can lead to additional vulnerabilities in the Docker image.

Unnecessary dependencies are installed via a known Debian package manager. These unused dependencies might contain vulnerabilities, thus weakening the overall security posture of the created containers.
Depending on the introduced vulnerabilities, a malicious actor accessing such a container could use these for privilege escalation.
Removing the unused dependencies can also significantly reduce your Docker image size.

To be secure, remove the unused dependencies where possible and ensure images are subject to routine vulnerability scans.

Ask Yourself Whether

Container vulnerability scans are not performed.

There is a risk if you answered yes to the question.

Recommended Secure Coding Practices

Avoid installing package dependencies that are not strictly required.

Sensitive Code Example

# Sensitive
RUN apt install -y build-essential

# Sensitive
RUN apt-get install -y build-essential

# Sensitive
RUN aptitude install -y build-essential

Compliant Solution

RUN apt install -y --no-install-recommends build-essential

RUN apt-get install -y --no-install-recommends build-essential

RUN aptitude install -y --without-recommends build-essential

See

Debian Documentation - Binary Dependencies
Ubuntu Blog - Container size reduction

Available In:

In-IDE

SaaS

Self-Hosted