Skip to main content
CUDA packages are already provided by the nvidia/cuda base image.

Description

Detects RUN instructions that install CUDA userspace packages via a package manager (apt, apt-get, yum, dnf, microdnf, apk) in stages that already inherit from nvidia/cuda:*. The rule is flavor-aware: it parses the image tag to determine the variant (base, runtime, or devel) and only flags packages that the variant already includes. For example, installing cuda-toolkit on a runtime image is legitimate (runtime does not include the toolkit), but installing cuda-runtime on a runtime image is redundant.

Why this matters

  • Redundant work — the base image already provides the CUDA stack for the selected variant
  • Version drift — the package manager may install a different CUDA version than the one baked into the base image, causing subtle incompatibilities
  • Image bloat — duplicate CUDA libraries waste space in the image layers
  • Maintenance burden — two sources of truth for the CUDA version make upgrades harder

Examples

Violation

No violation

Flavor-aware matching

The rule maps packages to the nvidia/cuda image variant that includes them: TensorRT packages (tensorrt*) are never flagged because standard nvidia/cuda tags do not include TensorRT. When the tag cannot be parsed (e.g., digest-only or ARG-based), the rule defaults to devel to avoid false positives.

Applicability

This rule only fires on stages where the base image is nvidia/cuda:* (or docker.io/nvidia/cuda:*). It does not fire on:
  • Stages with a non-NVIDIA base image (e.g., ubuntu:22.04)
  • Stages using other NVIDIA images (e.g., nvcr.io/nvidia/pytorch:*, nvidia/cudagl:*)
  • Stages that reference another build stage (FROM builder)

Configuration

This rule has no rule-specific options.

References