SQ41104
Detected container images with multiple CMD instructions.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | None |
About the issueโ
Containers typically run in one of two modes, as executables or as services. Regardless of how they are used, they are usually configured with a default command to be executed when instantiated, to run a particular program or start a service. The Dockerfile is a sequence of instructions that defines how an image should be built, and the default command can be set with the CMD instruction. It's enough to specify it once. If there are multiple CMD instructions in a Dockerfile, only the last one takes effect, but the Dockerfile gets harder to read and maintain.
How to resolve the issueโ
- Remove any duplicate CMD instructions from your Dockerfile.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Dockerfile reference - CMD (External resource - Docker)
- Dockerfile on Windows (External resource - Microsoft)
- General best practices for writing Dockerfiles (External resource - Docker)