Docker CIS 4.7: Alert on Update Instruction
No violationsstackroxlowbuilddeployEnsure update instructions are not used alone in the Dockerfile
- Rationale
- Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.
- Remediation
- Use update instructions together with install instructions and version pinning for packages while installing them. This prevents caching and forces the extraction of the required versions.
CategoriesDocker CIS
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
1 of 5 targets supporteddocker-cis-4-7-alert-on-update-instruction.rego
# Docker CIS 4.7: Alert on Update Instruction (trivy)
# severity: low
# source: stackrox/9a91b4de-d52e-4d4d-a65e-1e785c3501b1
package trivy.docker_cis_4_7_alert_on_update_instruction
deny[msg] {
# rule 1
some inst
inst := input.Misconfigurations[_].Message
contains(inst, {"RUN=(/bin/sh -c)?\s*apk update\s*", "RUN=(/bin/sh -c)?\s*apt update\s*", "RUN=(/bin/sh -c)?\s*apt-get update\s*", "RUN=(/bin/sh -c)?\s*yum update\s*"}[_])
msg := "[low] Docker CIS 4.7: Alert on Update Instruction: Ensure update instructions are not used alone in the Dockerfile"
}
IR (canonical)
{
"id": "9a91b4de-d52e-4d4d-a65e-1e785c3501b1",
"name": "Docker CIS 4.7: Alert on Update Instruction",
"description": "Ensure update instructions are not used alone in the Dockerfile",
"rationale": "Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.",
"remediation": "Use update instructions together with install instructions and version pinning for packages while installing them. This prevents caching and forces the extraction of the required versions.",
"severity": "low",
"categories": [
"Docker CIS"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Don't alert on StackRox services",
"namespace": "stackrox"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "dockerfile-line",
"values": [
"RUN=(/bin/sh -c)?\\s*apk update\\s*",
"RUN=(/bin/sh -c)?\\s*apt update\\s*",
"RUN=(/bin/sh -c)?\\s*apt-get update\\s*",
"RUN=(/bin/sh -c)?\\s*yum update\\s*"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "9a91b4de-d52e-4d4d-a65e-1e785c3501b1",
"name": "Docker CIS 4.7: Alert on Update Instruction",
"description": "Ensure update instructions are not used alone in the Dockerfile",
"rationale": "Adding update instructions in a single line on the Dockerfile will cause the update layer to be cached. When you then build any image later using the same instruction, this will cause the previously cached update layer to be used, potentially preventing any fresh updates from being applied to later builds.",
"remediation": "Use update instructions together with install instructions and version pinning for packages while installing them. This prevents caching and forces the extraction of the required versions.",
"disabled": false,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on StackRox services",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Dockerfile Line",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "RUN=(/bin/sh -c)?\\s*apk update\\s*"
},
{
"value": "RUN=(/bin/sh -c)?\\s*apt update\\s*"
},
{
"value": "RUN=(/bin/sh -c)?\\s*apt-get update\\s*"
},
{
"value": "RUN=(/bin/sh -c)?\\s*yum update\\s*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}