PG009: Remove unnecessary network tools from production images
Warning Security
Why This Matters
Network utilities like curl, wget, and netcat expand the attack surface of a production container. If an attacker gains code execution, these tools allow downloading additional payloads, establishing reverse shells, or communicating with command-and-control servers. The CIS Docker Benchmark (Section 4.3) states: "Do not install unnecessary packages in containers." Real-world campaigns such as Commando Cat (2024) exploited curl and netcat inside containers for exactly this purpose. Use multi-stage builds to keep these tools in the build stage only, or remove them after use with `apt-get purge` / `apk del`.
How to Fix
Use a multi-stage build so network tools stay in the builder stage, or remove them after use
Before (incorrect)
FROM ubuntu:22.04
RUN apt-get update && apt-get install -y curl \
&& curl -o app.tar.gz https://example.com/app.tar.gz
CMD ["./app"]After (correct)
FROM ubuntu:22.04 AS builder
RUN apt-get update && apt-get install -y curl \
&& curl -o app.tar.gz https://example.com/app.tar.gz
FROM ubuntu:22.04
COPY --from=builder /app.tar.gz /app.tar.gz
CMD ["./app"]Rule Details
- Rule Code
- PG009
- Severity
- Warning
- Category
- Security