DL4006

mirror of https://github.com/hadolint/hadolint.git synced 2025-12-17 03:24:08 +00:00

Table of Contents

Set the SHELL option -o pipefail before RUN with a pipe in

Problematic code:
Correct code:
Rationale:

Set the SHELL option -o pipefail before RUN with a pipe in

Problematic code:

RUN wget -O - https://some.site | wc -l > /number

Correct code:

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

Or in case of busybox in an Alpine image:

SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

Rationale:

https://docs.docker.com/develop/develop-images/instructions/#using-pipes

Some RUN commands depend on the ability to pipe the output of one command into another, using the pipe character (|), as in the following example:

RUN wget -O - https://some.site | wc -l > /number

Docker executes these commands using the /bin/sh -c interpreter, which only evaluates the exit code of the last operation in the pipe to determine success. In the example above this build step succeeds and produces a new image so long as the wc -l command succeeds, even if the wget command fails.

If you want the command to fail due to an error at any stage in the pipe, prepend set -o pipefail && to ensure that an unexpected error prevents the build from inadvertently succeeding.

Since there are some shells that do not accept the -o pipefail option, it is not enough to add set -o pipefail inside the RUN instruction. Therefore, we recommend to always explicitly add the SHELL instruction before using pipes in RUN.