This page describes a highlighted problem produced by the Docker and Kubernetes Security scanner plugin.
You could find more details on the internal page: Cloud (IaC) Security plugin
If this project has been helpful to you, please consider giving it a ⭐ on GitHub to help others discover it.
Problem
Using ARG variables in RUN commands can be overridden by users. This leads to unintended behaviors and security risks.
Description
ARG values are build-time inputs that can be changed with --build-arg. When critical package names or command fragments depend on overrideable arguments, build output can differ from expected security baselines.
This is especially risky in shared CI pipelines where variables can be injected through automation layers. For sensitive steps, fixed values or validated allowlists are safer than unconstrained argument substitution in package-install commands.
Related rules: avoid potential secrets in ENV, pin image versions, use –no-install-recommends.
Solution
Avoid using ARG directly in security-sensitive RUN commands. Use fixed values or strict validation so build behavior stays predictable and reviewable.
Problematic code
FROM ubuntu:20.04
USER nobody
ARG INSTALL_PACKAGE=build-essential
RUN apt-get update && apt-get install -y $INSTALL_PACKAGEVerified code
dockerfile
FROM ubuntu:20.04
USER nobody
RUN apt-get update && apt-get install --no-install-recommends -y build-essential