Docker Antipattern Detection

Analyze Dockerfiles for antipatterns causing bloated images, poor caching, and unreliable builds.

Antipattern Catalog

1. COPY Before Dependency Install

# BAD: Cache busted on every code change
COPY . /var/www/html
RUN composer install --no-dev

# GOOD: Dependencies first, source second
COPY composer.json composer.lock /var/www/html/
RUN composer install --no-dev --no-scripts --no-autoloader
COPY . /var/www/html
RUN composer dump-autoload --optimize

2. apt-get update in Separate Layer

# BAD: Stale package index
RUN apt-get update
RUN apt-get install -y libpng-dev

# GOOD: Combined in same layer
RUN apt-get update && apt-get install -y --no-install-recommends \
    libpng-dev && rm -rf /var/lib/apt/lists/*

3. Using latest Tag

# BAD: Non-deterministic builds
FROM php:latest

# GOOD: Pinned version
FROM php:8.4.3-fpm-bookworm

4. apt-get Without Cleanup

# BAD: Package cache bloats image
RUN apt-get update && apt-get install -y libzip-dev

# GOOD: Cleanup in same layer
RUN apt-get update && apt-get install -y --no-install-recommends \
    libzip-dev && rm -rf /var/lib/apt/lists/*

5. Multiple FROM Without Multi-Stage Purpose

# BAD: Build artifacts never copied
FROM node:20
RUN npm ci && npm run build
FROM php:8.4-fpm
COPY . /var/www/html

# GOOD: Artifact copy from named stage
FROM node:20 AS frontend
RUN npm ci && npm run build
FROM php:8.4-fpm
COPY --from=frontend /app/dist /var/www/html/public

6. Unrelated Commands in Single RUN

# BAD: Mixed concerns, poor cache utilization
RUN apt-get update && pecl install redis && composer install

# GOOD: Logically grouped
RUN apt-get update && apt-get install -y --no-install-recommends \
    libzip-dev && rm -rf /var/lib/apt/lists/*
RUN docker-php-ext-install zip opcache
RUN pecl install redis && docker-php-ext-enable redis

7. No .dockerignore

# Required .dockerignore to exclude:
.git
.env
vendor
node_modules
tests
docs
docker-compose*.yml

8. Installing Editors in Production

# BAD: Dev tools in production
RUN apt-get install -y vim nano htop strace

# GOOD: Only runtime dependencies
RUN apt-get install -y --no-install-recommends libzip-dev

9. ADD Instead of COPY

# BAD: ADD has implicit tar extraction and URL fetching
ADD app.tar.gz /var/www/html/

# GOOD: Explicit COPY for local files
COPY . /var/www/html/

10. CMD with Shell Form

# BAD: Shell form (no signal forwarding)
CMD php-fpm -F

# GOOD: Exec form (PID 1 receives signals)
CMD ["php-fpm", "-F"]

11. ENTRYPOINT Not Handling Signals

# GOOD: Entrypoint with exec for signal forwarding
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
CMD ["php-fpm"]

Grep Patterns

Grep: "^COPY \\." --glob "**/Dockerfile*"
Grep: "^RUN apt-get update$" --glob "**/Dockerfile*"
Grep: "^FROM.*:latest" --glob "**/Dockerfile*"
Grep: "apt-get install" --glob "**/Dockerfile*"
Grep: "^ADD " --glob "**/Dockerfile*"
Grep: "^(CMD|ENTRYPOINT) [^\\[]" --glob "**/Dockerfile*"
Grep: "install.*-y.*(vim|nano|htop|strace)" --glob "**/Dockerfile*"
Glob: "**/.dockerignore"

Severity Classification

Output Format

### Docker Antipattern: [Name]

**Severity:** Critical/Major/Minor
**File:** `Dockerfile:line`
**Category:** Cache / Size / Security / Reliability
**Issue:** [Description and why it is problematic]
**Fix:** [Corrected instruction snippet]
**Impact:** Build time / Image size / Reliability changes