This page describes a highlighted problem produced by the Docker and Kubernetes Security scanner plugin.
You could find more details on the internal page: Cloud (IaC) Security plugin
If this project has been helpful to you, please consider giving it a ⭐ on GitHub to help others discover it.
Problem
Using apk update and then performing a manual apk cache clean with rm -rf /var/cache/apk/* is an inefficient pattern in Alpine-based Docker images that increases image size and complicates the Dockerfile.
Description
The common practice for installing packages in Alpine involves updating the package index with apk update, installing packages with apk add, and finally performing an apk cache clean by running rm -rf /var/cache/apk/*. This final step is done to reduce the final image size.
This multi-step method is suboptimal. The apk update command writes a cache to the filesystem that must be manually removed. This process of installation followed by an apk cache clean increases build time and complexity, even when chained in a single RUN instruction.
A much cleaner and more efficient solution is to use the --no-cache flag with apk add. This option downloads the package index directly into memory, uses it for the installation, and then discards it without ever writing to the layer’s filesystem.
Solution
Combine package installation into a single RUN instruction using apk add with the --no-cache flag.
Problematic code
FROM alpine:latest
RUN apk update && \
apk add --no-progress curl && \
rm -rf /var/cache/apk/*Verified code
FROM alpine:latest
RUN apk add --no-cache curl