mcp-server-semgrep/semgrep-rules/generic/dockerfile/correctness/multiple-cmd-instructions.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: multiple-cmd-instructions
  patterns:
  - pattern-either:
    - pattern: |
        CMD ...
        ...
        CMD ...
    - pattern: |
        CMD [...]
        ...
        CMD [...]
    - pattern: |
        CMD [...]
        ...
        CMD ...
    - pattern: |
        CMD ...
        ...
        CMD [...]
  - pattern-not-inside: |
      CMD ...
      ...
      FROM $IMAGE
      ...
      CMD ...
  - pattern-not: |
      HEALTHCHECK $CMD
      ...
      CMD ...
  - pattern-not: |
      HEALTHCHECK $CMD
      ...
      CMD [...]
  - pattern-not: |
      CMD ...
      ...
      HEALTHCHECK $CMD
  - pattern-not: |
      CMD [...]
      ...
      HEALTHCHECK $CMD
  message: Multiple CMD instructions were found. Only the last one will take effect.
  languages: [dockerfile]
  severity: ERROR
  metadata:
    source-rule-url: https://github.com/hadolint/hadolint/wiki/DL4003
    references:
    - https://github.com/hadolint/hadolint/wiki/DL4003
    - https://kapeli.com/cheat_sheets/Dockerfile.docset/Contents/Resources/Documents/index#//dash_ref_Instructions/Entry/CMD/0
    category: correctness
    technology:
    - dockerfile