Back to catalog

Docker CIS 4.7: Alert on Update Instruction

No violationsstackroxlowbuilddeploy

Ensure update instructions are not used alone in the Dockerfile

Rationale
Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.
Remediation
Use update instructions together with install instructions and version pinning for packages while installing them. This prevents caching and forces the extraction of the required versions.
CategoriesDocker CIS
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.25A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

1 of 5 targets supported
docker-cis-4-7-alert-on-update-instruction.rego
# Docker CIS 4.7: Alert on Update Instruction (trivy)
# severity: low
# source: stackrox/9a91b4de-d52e-4d4d-a65e-1e785c3501b1
package trivy.docker_cis_4_7_alert_on_update_instruction

deny[msg] {
  # rule 1
  some inst
  inst := input.Misconfigurations[_].Message
  contains(inst, {"RUN=(/bin/sh -c)?\s*apk update\s*", "RUN=(/bin/sh -c)?\s*apt update\s*", "RUN=(/bin/sh -c)?\s*apt-get update\s*", "RUN=(/bin/sh -c)?\s*yum update\s*"}[_])
  msg := "[low] Docker CIS 4.7: Alert on Update Instruction: Ensure update instructions are not used alone in the Dockerfile"
}
IR (canonical)
{
  "id": "9a91b4de-d52e-4d4d-a65e-1e785c3501b1",
  "name": "Docker CIS 4.7: Alert on Update Instruction",
  "description": "Ensure update instructions are not used alone in the Dockerfile",
  "rationale": "Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.",
  "remediation": "Use update instructions together with install instructions and version pinning for packages while installing them. This prevents caching and forces the extraction of the required versions.",
  "severity": "low",
  "categories": [
    "Docker CIS"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "Don't alert on StackRox services",
      "namespace": "stackrox"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "dockerfile-line",
    "values": [
      "RUN=(/bin/sh -c)?\\s*apk update\\s*",
      "RUN=(/bin/sh -c)?\\s*apt update\\s*",
      "RUN=(/bin/sh -c)?\\s*apt-get update\\s*",
      "RUN=(/bin/sh -c)?\\s*yum update\\s*"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "9a91b4de-d52e-4d4d-a65e-1e785c3501b1",
  "name": "Docker CIS 4.7: Alert on Update Instruction",
  "description": "Ensure update instructions are not used alone in the Dockerfile",
  "rationale": "Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.",
  "remediation": "Use update instructions together with install instructions and version pinning for packages while installing them. This prevents caching and forces the extraction of the required versions.",
  "disabled": false,
  "categories": [
    "Docker CIS"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on StackRox services",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "LOW_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Dockerfile Line",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "RUN=(/bin/sh -c)?\\s*apk update\\s*"
            },
            {
              "value": "RUN=(/bin/sh -c)?\\s*apt update\\s*"
            },
            {
              "value": "RUN=(/bin/sh -c)?\\s*apt-get update\\s*"
            },
            {
              "value": "RUN=(/bin/sh -c)?\\s*yum update\\s*"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}