Skip to main content
Set the SHELL option -o pipefail before RUN with a pipe in.
PropertyValue
SeverityWarning
CategoryBest Practice
DefaultEnabled
Auto-fixYes (--fix)

Description

Some RUN commands depend on the ability to pipe the output of one command into another using the pipe character (|). Docker executes these commands using /bin/sh -c, which only evaluates the exit code of the last operation in the pipe. Since there are some shells that do not accept the -o pipefail option, it is not enough to add set -o pipefail inside the RUN instruction. Therefore, we recommend always explicitly adding the SHELL instruction before using pipes in RUN.

Examples

Problematic code

RUN wget -O - https://some.site | wc -l > /number

Correct code

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number
or for Alpine/busybox: 
SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

Auto-fix

Inserts a SHELL ["/bin/bash", "-o", "pipefail", "-c"] instruction before the first RUN with a pipe in each stage. Only generated once per stage since SHELL persists. 
# Before
RUN cmd1 | cmd2 | cmd3

# After (with --fix)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN cmd1 | cmd2 | cmd3

Reference