Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Docker static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your DOCKER code

Tags

Impact

Clean code attribute

Reduce the amount of consecutive RUN instructions
Code Smell
Malformed JSON in Exec form leads to unexpected behavior
Bug
Prefer COPY over ADD for copying local resources
Code Smell
Descriptive labels are mandatory
Code Smell
Use ADD instruction to retrieve remote resources
Code Smell
Use digest to pin versions of base images
Code Smell
WORKDIR instruction should only be used with absolute path
Code Smell
Too long RUN instruction should be split into multiple lines
Code Smell
Prefer Exec form for ENTRYPOINT and CMD instructions
Code Smell
Arguments in long RUN instructions should be sorted
Code Smell
"WORKDIR" instruction should be used instead of "cd" commands
Code Smell
Specific version tag for image should be used
Code Smell
Package update should not be executed without installing it
Code Smell
Dockerfile should only have one ENTRYPOINT and CMD instruction
Bug
Cache should be cleaned after package installation
Code Smell
Deprecated instructions should not be used
Code Smell
Consent flag should be set to avoid manual input
Code Smell
Environment variables should not be unset on a different layer than they were set
Code Smell
Access variable which is not available in the current scope
Bug
A space before the equal sign in key-value pair may lead to unintended behavior
Bug
Expanded filenames should not become options
Code Smell
Double quote to prevent globbing and word splitting
Code Smell
Allowing downgrades to a clear-text protocol is security-sensitive
Security Hotspot
Allowing shell scripts execution during package installation is security-sensitive
Security Hotspot
Allowing non-root users to modify resources copied to an image is security-sensitive
Security Hotspot
Disabling builder sandboxes is security-sensitive
Security Hotspot
Automatically installing recommended packages is security-sensitive
Security Hotspot
Pulling an image based on its digest is security-sensitive
Security Hotspot
Instructions should be upper case
Code Smell
Exposing administration services in containers is security-sensitive
Security Hotspot
Using ENV or ARG to handle secrets is security-sensitive
Security Hotspot
Running containers as a privileged user is security-sensitive
Security Hotspot
Recursively copying context directories is security-sensitive
Security Hotspot
Permissions of sensitive mount points should be restrictive
Vulnerability
Credentials should not be hard-coded
Vulnerability
Using host operating system namespaces is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Weak SSL/TLS protocols should not be used
Vulnerability
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Dockerfile parsing failure
Code Smell
Track uses of "TODO" tags
Code Smell

Automatically installing recommended packages is security-sensitive

responsibility - trustworthy

security

Security Hotspot

dockerfile

Installing recommended packages automatically can lead to vulnerabilities in the Docker image.

Potentially unnecessary packages are installed via a known Debian package manager. These packages will increase the attack surface of the created container as they might contain unidentified vulnerabilities or malicious code. Those packages could be used as part of a broader supply chain attack. In general, the more packages are installed in a container, the weaker its security posture is.
Depending on the introduced vulnerabilities, a malicious actor accessing such a container could use these for privilege escalation.
Removing unused packages can also significantly reduce your Docker image size.

To be secure, remove unused packages where possible and ensure images are subject to routine vulnerability scans.

Ask Yourself Whether

Container vulnerability scans are not performed.

There is a risk if you answered yes to the question.

Recommended Secure Coding Practices

Avoid installing package dependencies that are not strictly required.

Sensitive Code Example

FROM ubuntu:22.04

# Sensitive
RUN apt install -y build-essential

# Sensitive
RUN apt-get install -y build-essential

# Sensitive
RUN aptitude install -y build-essential

Compliant Solution

FROM ubuntu:22.04

RUN apt --no-install-recommends install -y build-essential

RUN apt-get --no-install-recommends install -y build-essential

RUN aptitude --without-recommends install -y build-essential

See

Debian Documentation - Binary Dependencies
Ubuntu Blog - Container size reduction

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
10.0

Analyze code in your
on-premise CI

Developer Edition
Available Since
10.0

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted