SQ41106
Detected container images with COPY commands to relative path target without the WORKDIR set.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | hardening: warning Reason: unsafe container build commands |
About the issueโ
Containers typically run in one of two modes, as executables or as services. Regardless of how they are used, they typically require one or more executables, data and configuration files, and other dependencies and environment-related files required to run the executables. The Dockerfile is a sequence of instructions that defines how an image should be built. ADD or COPY instructions are used to include external content in an image layer, while the WORKDIR instruction is used to set the working directory for instructions. When using the COPY instruction, it's recommended to set the current working directory using the WORKDIR instruction, and to avoid using relative paths that are hard to read, troubleshoot and maintain.
How to resolve the issueโ
- Inspect your Dockerfile for any loose working directory change commands (such as 'RUN cd ..'), and change them to use WORKDIR instead.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Dockerfile reference - COPY
- Dockerfile reference - WORKDIR
- General best practices for writing Dockerfiles (External resource - Docker)