SQ41103
Detected container images that use CMD instructions in shell form.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | hardening: warning Reason: unsafe container build commands |
About the issueโ
Containers typically run in one of two modes, as executables or as services. Regardless of how they are used, they are usually configured with a default command to be executed when instantiated, to run a particular program or start a service. The Dockerfile is a sequence of instructions that defines how an image should be built, and the default command can be set with the CMD instruction. The CMD command accepts two forms: shell and exec. When the CMD instruction is used in shell form, it will be executed within a new shell instance. This can cause problems with container and process signal handling, or cause inadvertent shell processing, such as variable substitution or expansion. It is recommended to use the exec form.
How to resolve the issueโ
- Convert the CMD instruction into its exec form.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Dockerfile reference - CMD (External resource - Docker)
- Dockerfile on Windows (External resource - Microsoft)
- General best practices for writing Dockerfiles (External resource - Docker)