4.7 Do not use update instructions alone in the Dockerfile

Information

Do not use update instructions such as apt-get update alone or in a single line in the
Dockerfile.Adding the update instructions in a single line on the Dockerfile will cache the update layer.
Thus, when you build any image later using the same instruction, previously cached update
layer will be used. This could potentially deny any fresh updates to go in the later builds.

Solution

Use update instructions along with install instructions (or any other) and version pinning
for packages while installing them. This would bust the cache and force to extract the
required versions.Alternatively, you could use --no-cache flag during docker build process to avoid using
cached layers.Impact-None
Default Value-By default, docker does not enforce any restrictions on using update instructions.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: c4ee90f9a005ea91e3843e6a2dee578f601c071130271f4a730536ee82d8432c