--- title: "Dockerfile Best Practices" diataxis: reference applies_to: product: "kyverno" audience: ["platform-engineer","devsecops"] last_updated: 2026-03-25 url: https://docs.nirmata.io/docs/policy-sets/dockerfile_best_practices/ --- Dockerfile best practices are sets of guidelines that help in creating secure Docker images that can protect itself from attacks and vulnerabilities. Nirmata provides a collection of Kyverno policies that are aimed at implementing Dockerfile best practices. Refer to the official [Docker documentation](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/) to learn about the practices in detail. Click on the below profiles to dig deeper into the controls and their associated Kyverno policy. Nirmata also provides a reference to what a good resource looks like that conforms to these best practices. --- ## Check Unauthentication ### Description The usage of `--allow-unauthenticated` flag in a Dockerfile is generally not recommended because it disables the validation of package signatures. This flag is specific to certain package managers (like APT for Debian-based systems) and allows the installation of packages without checking their cryptographic signatures. This policy checks if the Dockerfile contains the --allow-unauthenticated flag and gives Failing check if it contains the `--allow-unauthenticated` flag. ### Kyverno policy Refer to the Nirmata curated policies - [check-unauthentication](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-authentication/check-unauthentication-install.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:latest RUN apt-get update && \ apt-get install -y yamllint WORKDIR /app COPY . /app EXPOSE 8080 CMD ["echo", "Container is running!"] ```text --- ## Check Certificate Validation Curl ### Description The `--insecure` option with the `curl` command tells curl to bypass SSL certificate verification. This includes the risk of connecting to a server that is not who it claims to be, potentially exposing sensitive information or becoming vulnerable to man-in-the-middle attacks. This policy checks whether certificate validation is disabled in the Dockerfile using the `--insecure` option when running the `curl` command. ### Risks The `--allow-unauthenticated` flag in a Dockerfile poses significant security risks due to the following reasons: * Package Integrity: When this flag is used, it bypasses the validation of package signatures, which ensures that the software you're installing hasn't been tampered with. Without signature verification, you're at risk of installing: * Malicious packages: Hackers could inject compromised software into your system, which could lead to data breaches or unauthorized access. * Corrupted or modified packages: If a package has been altered, you may install software that contains bugs or vulnerabilities. * Susceptibility to Supply Chain Attacks: Disabling signature checks opens the door for supply chain attacks. An attacker could compromise a package repository and replace legitimate packages with malicious versions. Without cryptographic validation, your system wouldn't detect this change. * Undetected Vulnerabilities: Since signature validation is an important step in ensuring the authenticity and integrity of the software, skipping it could allow vulnerabilities to slip into your environment unnoticed. This could potentially expose your application to exploits based on known vulnerabilities. * Trust Issues: Without signature verification, you lose the ability to trust the source of the software you're installing, which undermines the security of your Docker image. This could have long-term impacts, especially if the image is shared or used across multiple environments. ### Kyverno policy Refer to the Nirmata curated policies - [check-certificate-validation-curl](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-certificate-validation-curl/check-certificate-validation-curl.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM alpine:latest RUN apk --no-cache add curl RUN curl -LO https://github.com/glasskube/glasskube/releases/download/v0.0.1/glasskube_v0.0.1_amd64.deb ENTRYPOINT ["curl"] ```text --- ## Check Certificate Validation Nodejs-env-var ### Description `NODE_TLS_REJECT_UNAUTHORIZED` is an environment variable used in Node.js to control TLS certificate verification behavior. This policy checks whether this environment variable is set to 0. By default, it is set to 1, which enables certificate verification. ### Kyverno policy Refer to the Nirmata curated policies - [check-certificate-validation-nodejs-env-var](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-certificate-validation-nodejs-env-var/check-certificate-validation-nodejs-env-var.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM alpine:latest ENV NODE_TLS_REJECT_UNAUTHORIZED=1 CMD ["sh", "-c", "echo 'Hello, World!'"] ```text --- ## Check Certificate Validation pip3 ### Description In pip3, the `--trusted-host` flag allows you to mark a specific host as trusted, even if it's not included in the list of trusted hosts specified in the configuration files. This is typically used when packages are installed from custom repositories or when accessing repositories over insecure connections. This policy checks whether certificate validation is disabled in the Dockerfile using `--trusted-host` option when running the pip3 command. ### Kyverno policy Refer to the Nirmata curated policies - [check-certificate-validation-pip3](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-certificate-validation-pip3/check-certificate-validation-pip3.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM python WORKDIR /app RUN pip3 install numpy CMD ["echo", "Installed successfully"] ```text --- ## Check Certificate Validation Python-env-var ### Description The `PYTHONHTTPSVERIFY` environment variable is used in Python to control certificate verification when making HTTPS requests. This policy checks whether this environment variable is set to 0. By default, it is set to 1, which enables certificate verification. ### Kyverno policy Refer to the Nirmata curated policies - [check-certificate-validation-python-env-var](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-certificate-validation-python-env-var/check-certificate-validation-python-env-var.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM python:3.9 ENV PYTHONHTTPSVERIFY 1 WORKDIR /app COPY . /app CMD [ "echo", "Hello world" ] ```text --- ## Check Certificate Validation Wget ### Description When the `--no-check-certificate` option is used with wget, wget gets instructed to ignore SSL certificate verification while making HTTPS connections. This option allows wget to download files from HTTPS URLs without validating the SSL certificate presented by the server. This policy checks whether certificate validation is disabled in the Dockerfile using `--no-check-certificate` option when running the wget command. ### Kyverno policy Refer to the Nirmata curated policies - [check-certificate-validation-wget](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-certificate-validation-wget/check-certificate-validation-wget.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM alpine:latest RUN apk --no-cache add wget RUN wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.17.2.tar.xz ENTRYPOINT ["wget"] ```text --- ## Check Last User ### Description The `last USER` instruction in the Dockerfile is what determines the default user for the container when it starts. This policy validates that the `last USER` is not root. Running containers as non-root users significantly limits the potential damage that attackers can inflict if they manage to compromise a container. ### Kyverno policy Refer to the Nirmata curated policies - [check-last-user](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-last-user/check-last-user.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM base USER root COPY test.sh /test.sh USER non-root ```text --- ## Check Missing Signature Options ### Description `–nodigest`, `–nosignature`, `–noverify`, `–nofiledigest` options are flags that can used with the rpm command to alter its behavior during installation.This policy ensures that packages with untrusted or missing signatures are not used by rpm via the `–nodigest`, `–nosignature`, `–noverify`, or `–nofiledigest` options. ### Kyverno policy Refer to the Nirmata curated policies - [check-missing-signature-options](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-missing-signature-options/check-missing-signature-options.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM centos:7 RUN yum install -y wget RUN rpm -i vim-enhanced-7.4.629-7.el7.aarch64.rpm RUN echo "Hello world!" ```text --- ## Check Nogpgcheck ### Description GPG signature checking is a security feature that verifies the authenticity and integrity of packages before they are installed on a system. When nogpgcheck is enabled, dnf, tdnf, or yum will not verify the GPG signatures associated with the packages potentially exposing the system to security risks if the packages have been tampered with or are not from trusted sources. ### Kyverno policy Refer to the Nirmata curated policies - [check-nogpgcheck](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-nogpgcheck/check-nogpgcheck.yaml). ### Resource example Below are examples of two Dockerfiles enforcing this policy. ```bash FROM fedora:34 RUN yum -y install wget && \ yum -y clean all RUN echo "Hello, World!" ``` ```bash FROM fedora:34 RUN dnf -y install wget && \ dnf -y clean all RUN echo "Hello, World!" ```text --- ## Check NPM Config Strict SSL ### Description The `NPM_CONFIG_STRICT_SSL` environment variable is used to control strict SSL certificate validation behavior in npm. This policy ensures that certificate validation isn't disabled for npm via the `NPM_CONFIG_STRICT_SSL` environmnet variable. ### Kyverno policy Refer to the Nirmata curated policies - [check-npm-config-strict-ssl](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-npm-config-strict-ssl/check-npm-config-strict-ssl.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM node:latest ENV NPM_CONFIG_STRICT_SSL=false RUN echo "Hello world" ```text --- ## Check Untrust Flag ### Description The use of `--allow-untrusted` flag in a Dockerfile is generally not recommended. Allowing untrusted packages can introduce security risks, as it means that the authenticity and integrity of the packages cannot be guaranteed. This policy ensures that Dockerfile do not contain the `--allow-untrusted` flag. ### Kyverno policy Refer to the Nirmata curated policies - [check-untrust-flag](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/check-untrust-flag/check-allow-untrusted-flag.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM alpine:latest RUN apk update && \ apk add --no-cache curl WORKDIR /app COPY . /app CMD ["echo", "Container is running!"] ```text --- ## Detect Multiple Instructions ### Description This policy is implemented to ensure that container images are built with minimal cached layers. It specifically focuses on detecting and preventing the use of multiple instructions in a single line within Dockerfiles. ### Kyverno policy Refer to the Nirmata curated policies - [detect-multiple-instructions](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/detect-multiple-instructions/detect-multiple-instructions.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:latest # Update the package repository RUN apt-get update WORKDIR /app COPY . /app EXPOSE 8080 # Example: Run a command when the container starts CMD ["echo", "&& is not present"] ```text --- ## Disallow Sudo Operations ### Description The usage of sudo within a Dockerfile is generally not preferred due to several reasons, primarily to avoid potential security risks associated with privilege escalations. Using sudo within a Dockerfile grants additional privileges to the execution context. This Policy checks whether the sudo operation is used within the Dockerfile. ### Kyverno policy Refer to the Nirmata curated policies - [disallow-sudo-operations](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/disallow-sudo-operations/disallow-sudo-operations.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:20.04 RUN apt-get update && \ apt-get install -y vim RUN apt-get install -y python3 ```text --- ## Prefer Copy Over Add ### Description This policy ensures that container images are built using commands that result in known outcomes. Specifically, it advocates for the preference of using the `COPY` instruction over `ADD` in Dockerfiles. By adhering to this policy, the predictability and transparency of the image-building process gets enhanced. ### Kyverno policy Refer to the Nirmata curated policies - [prefer-copy-over-add](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/prefer-copy-over-add/prefer-copy-over-add.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:latest # Update the package repository RUN apt-get update WORKDIR /app COPY . /app EXPOSE 8080 # Example: Run a command when the container starts CMD ["echo", "ADD Instruction is not present"] ```text --- ## Validate Base Image Tag ### Description Ensuring the use of version tags and digests instead of the latest image tag in a Dockerfile is crucial for maintaining control, reproducibility, and stability in containerized environments. This policy checks whether the base image tag is defined with a specific version or digest in the Dockerfile to promote reliable container deployment practices. ### Kyverno policy Refer to the Nirmata curated policies - [validate-base-image-tag](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/validate-base-image-tag/validate-base-image-tag.yaml). ### Resource example Below are examples of two Dockerfiles enforcing this policy. ```bash # Multi-Stage Build FROM busybox:1.33 as base COPY test.sh /test.sh FROM base LABEL foo=bar ``` ```bash # Multi-Stage Capital Build FROM busybox:1.33 AS base COPY test.sh /test.sh FROM base AS build LABEL foo=bar FROM base ```text --- ## Validate Expose Port 22 ### Description Exposing port 22 in a Dockerfile can pose security risks by potentially allowing unauthorized access to the containerized system. This policy aims to validate whether port 22 is exposed in Dockerfiles to enhance security practices. ### Kyverno policy Refer to the Nirmata curated policies - [validate-expose-port-22](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/validate-expose-port-22/validate-expose-port-22.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:latest EXPOSE 8080 ```text --- ## Validate Healthcheck Instruction ### Description Ensuring the presence and proper configuration of the `HEALTHCHECK` instruction in a Dockerfile is crucial for maintaining the health and stability of containerized applications. This policy aims to validate whether the `HEALTHCHECK` instruction is appropriately defined to promote robust container orchestration and monitoring practices. ### Kyverno policy Refer to the Nirmata curated policies - [validate-healthcheck-instruction](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/validate-healthcheck-instruction/validate-healthcheck-instruction.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:latest HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1 CMD ["nginx", "-g", "daemon off;"] ```text --- ## Validate User Instruction ### Description Ensuring the presence and proper configuration of the `USER` instruction in a Dockerfile is essential for enhancing the security posture of containerized applications. This policy aims to validate whether the `USER` instruction is appropriately defined to promote secure container execution practices. If the `USER` instruction is not present, the policy fails. ### Kyverno policy Refer to the Nirmata curated policies - [validate-user-instruction](https://github.com/nirmata/kyverno-policies/blob/main/dockerfile-best-practices/validate-user-instruction/validate-user-instruction.yaml). ### Resource example Below is an example of a Dockerfile enforcing this policy. ```bash FROM ubuntu:latest USER me CMD ["nginx", "-g", "daemon off;"] ```text