Skip to main content
JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals.

Description

ENTRYPOINT and CMD instructions both support shell form and exec form. When you use shell form, the executable runs as a child process to a shell, which doesn’t pass signals. This means that the program running in the container can’t detect OS signals like SIGTERM and SIGKILL and respond to them correctly.

Examples

Bad:
Good:

Workarounds

If you need shell features (variable expansion, piping, command chaining), you can:
  1. Create a wrapper script:
  1. Explicitly specify the shell (suppresses the warning):

Auto-fix

Fix safety: FixSuggestion — converts shell form to JSON array form. Before:
After (with --fix):
  • tally/invalid-json-form — detects instructions that attempt JSON exec-form but have invalid JSON (e.g., unquoted strings, single quotes). BuildKit silently falls back to shell-form for these, so both rules fire on the same instruction. tally’s supersession processor suppresses the lower-severity JSONArgsRecommended (info) when invalid-json-form (error) is present at the same line.

Supersedes

Reference