Skip to main content

PG010: Avoid using network tools in the final build stage

Info Security

Why This Matters

Network utilities like curl, wget, and netcat are used in RUN commands of the final build stage. Even when these tools are not explicitly installed (they may come pre-installed in the base image), their presence expands the attack surface of the production container. The CIS Docker Benchmark (Section 4.3) advises against keeping unnecessary packages in containers. Real-world campaigns such as Commando Cat (2024) exploited pre-existing curl and netcat inside containers for payload download and reverse shells. Use a multi-stage build to confine network tool usage to a builder stage, then COPY only the artifacts into a minimal final image.

How to Fix

Move network tool usage to a builder stage and COPY artifacts into the final image

Before (incorrect)

FROM node:22-bookworm
RUN curl -fsSL https://bun.sh/install | bash
CMD ["node", "server.js"]

After (correct)

FROM node:22-bookworm AS builder
RUN curl -fsSL -o /tmp/install.sh https://bun.sh/install \
    && bash /tmp/install.sh

FROM node:22-slim
COPY --from=builder /root/.bun /root/.bun
CMD ["node", "server.js"]

Rule Details

Rule Code
PG010
Severity
Info
Category
Security

Related Rules

DL3020 Error

Use COPY instead of ADD for files and folders
DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell