WORKDIR path is not absolute

ID

no_absolute_workdir

Severity

low

Family

Container Security

Tags

dockerfile, reachable

Description

For clarity and reliability, you should always use absolute paths for your WORKDIR.

To avoid unintended operations in unknown directories, it’s best practice to set your WORKDIR explicitly. If a relative path is provided for WORKDIR, it will be relative to the path of the previous WORKDIR instruction. The default workdir is / when not given, but base images may change it.

For better controlling the working directory for the following instructions in the dockerfile, it is better to provide an absolute path explicitly to not depend on the base image.

Reference: Docker recommendations on WORKDIR.

Security

N/A

Examples

# The current workdir could be /,
# but may be set in the base image
WORKDIR app

Mitigation / Fix

Use absolute paths for your WORKDIR:

# Fixed, absolute path to directory
WORKDIR /app