Pattern: Use of pipe without -o pipefail
Issue: -
Some RUN commands depend on the ability to pipe the output of one command into another, using the pipe character (|), as in the following example:
RUN wget -O - https://some.site | wc -l > /numberDocker executes these commands using the /bin/sh -c interpreter, which
only evaluates the exit code of the last operation in the pipe to determine
success. In the example above this build step succeeds and produces a new
image so long as the wc -l command succeeds, even if the wget command
fails.
If you want the command to fail due to an error at any stage in the pipe,
prepend set -o pipefail && to ensure that an unexpected error prevents
the build from inadvertently succeeding.
Since there are some shells that do not accept the -o pipefail option,
it is not enough to add set -o pipefail inside the RUN instruction. Therefore,
we recommend to always explicitly set the SHELL before using pipes in RUN.
Example of incorrect code:
RUN wget -O - https://some.site | wc -l > /numberExample of correct code:
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number