Skip to main content

DL4006: Set the SHELL option -o pipefail before RUN with a pipe in

Warning Efficiency

Why This Matters

In /bin/sh (the default shell), a piped command like `curl url | tar xz` only reports the exit code of the last command (tar). If curl fails, the build continues silently with corrupt or missing data. You end up with images that appear to build successfully but contain broken software. Set pipefail so the whole pipe fails if any command in it fails.

How to Fix

Add a SHELL instruction with pipefail before piped RUN commands

Before (incorrect)

RUN curl -sSL https://example.com/file | tar xz

After (correct)

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -sSL https://example.com/file | tar xz

Rule Details

Rule Code
DL4006
Severity
Warning
Category
Efficiency

Related Rules

DL3014 Warning

Use the -y switch for apt-get install
DL3003 Warning

Use WORKDIR to switch directories
DL3042 Warning

Avoid use of cache directory with pip
DL3059 Info

Multiple consecutive RUN instructions
DL3015 Info

Avoid additional packages by specifying --no-install-recommends