SQ41103
Detected container images that use CMD instructions in shell form.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | None |
About the issueโ
Containers typically run in one of two modes, as executables or as services. Regardless of how they are used, they are usually configured with a default command to be executed when instantiated, to run a particular program or start a service. The Dockerfile is a sequence of instructions that defines how an image should be built, and the default command can be set with the CMD instruction. The CMD command accepts two forms: shell and exec. When the CMD instruction is used in shell form, it will be executed within a new shell instance. This can cause problems with container and process signal handling, or cause inadvertent shell processing, such as variable substitution or expansion. It is recommended to use the exec form.
How to resolve the issueโ
- Convert the CMD instruction into its exec form.
Recommended readingโ
- Dockerfile reference - CMD (External resource - Docker)
- Dockerfile on Windows (External resource - Microsoft)
- General best practices for writing Dockerfiles (External resource - Docker)