Skip to main content

PG002: Avoid piping remote scripts to shell

Error Security

Why This Matters

Piping curl or wget output directly to a shell (sh, bash, zsh) executes remote code without any verification. If the remote server is compromised or someone performs a man-in-the-middle attack, arbitrary code runs in your build with full root privileges. This is a real supply-chain attack vector. Download the script first, verify its checksum, then execute it.

How to Fix

Download the script first, verify its checksum, then execute it

Before (incorrect)

RUN curl -sSL https://example.com/install.sh | bash

After (correct)

RUN curl -sSL -o /tmp/install.sh https://example.com/install.sh \
    && echo "expected_sha256  /tmp/install.sh" | sha256sum -c - \
    && bash /tmp/install.sh \
    && rm /tmp/install.sh

Rule Details

Rule Code
PG002
Severity
Error
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
DL3006 Warning

Always tag the version of an image explicitly