Skip to main content
Final stage uses an NVIDIA devel image without clear build-time needs; prefer a runtime or base variant for the shipped stage.

Description

Detects when the final stage of a Dockerfile uses nvidia/cuda:*devel* as its base image without obvious compile-time needs such as nvcc, gcc, make, or cmake. The devel variant includes the full CUDA compiler toolchain, development headers, and static libraries, which can add several gigabytes to the final image.

Why this matters

  • Image sizedevel images are typically 2—4 GB larger than the corresponding runtime variant due to nvcc, development headers, and static libraries
  • Attack surface — shipping compiler toolchains and development headers in production images exposes unnecessary binaries that could be leveraged in a container escape or supply-chain attack
  • Build cache efficiency — larger images take longer to pull, push, and layer-cache, slowing down CI/CD pipelines
  • Best practice alignment — NVIDIA, Hugging Face, and major ML projects recommend using devel only in builder stages and switching to runtime or base for the shipped image

What is flagged

Examples

Violation

No violation

Detection details

The rule fires only when all of the following are true:
  1. The final stage base image is nvidia/cuda:*devel*
  2. No compile signal is detected in the final stage
Compile signals that suppress the rule:
  • Commands: nvcc, gcc, g++, make, cmake, ninja
  • Packages: build-essential, gcc, g++, make, cmake, ninja-build
When a COPY --from=... instruction is present in the final stage, the violation detail notes this as additional evidence that the stage serves as a runtime image.

Configuration

This rule has no rule-specific options.

References