2.0.12 Added a new inspection:

Dmitry Protsenko · Dmitry Protsenko · commit 4afba2fd1b79 · 2025-09-14T16:48:08.000+04:00
- Docker Inspection: [Using pip installation without --no-cache-dir](https://protsenko.dev/infrastructure-security/using-pip-install-without-no-cache-dir/)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 # Cloud (IaC) Security Changelog
 
+## [2.0.12] 14-09-2025
+
+### Added
+- Docker Inspection: [Using pip installation without --no-cache-dir](https://protsenko.dev/infrastructure-security/using-pip-install-without-no-cache-dir/)
+
 ## [2.0.11] 30-08-2025
 
 ### Added
diff --git a/src/main/kotlin/dev/protsenko/securityLinter/docker/checker/PipNoCacheDirValidator.kt b/src/main/kotlin/dev/protsenko/securityLinter/docker/checker/PipNoCacheDirValidator.kt
@@ -0,0 +1,28 @@
+package dev.protsenko.securityLinter.docker.checker
+
+import dev.protsenko.securityLinter.docker.checker.core.RunCommandValidator
+
+object PipNoCacheDirValidator : RunCommandValidator {
+    /**
+     * Regular expression to detect pip install commands that lack the --no-cache-dir option.
+     * Pattern explanation:
+     * - ^RUN\s+ : Command must start with 'RUN' followed by one or more whitespace characters
+     * - (?=.*pip\s+install) : Positive lookahead to ensure 'pip install' is present somewhere
+     * - (?!.*--no-cache-dir) : Negative lookahead to ensure '--no-cache-dir' is NOT present anywhere
+     * - .* : Match any remaining characters including newlines and special symbols
+     * - $ : End of string anchor
+     */
+    private val regex =
+        Regex(
+            "^RUN\\s+(?=.*pip\\s+install)(?!.*--no-cache-dir).*$",
+            RegexOption.DOT_MATCHES_ALL,
+        )
+
+    /**
+     * Validates if a Docker RUN command follows security best practices for pip install.
+     *
+     * @param command The Docker command string to validate
+     * @return false if pip install is used without --no-cache-dir (security violation), true otherwise
+     */
+    override fun isValid(command: String): Boolean = !regex.matches(command)
+}
diff --git a/src/main/kotlin/dev/protsenko/securityLinter/docker/checker/core/RunCommandValidator.kt b/src/main/kotlin/dev/protsenko/securityLinter/docker/checker/core/RunCommandValidator.kt
@@ -5,6 +5,7 @@ interface RunCommandValidator {
      * Every command must start with RUN and contain a shell script (Linux commands).
      * Before implementing, please follow these guidelines:
      * - The name of the implemented object should end with "Validator".
+     * - The validator is singleton and should use Kotlin object (not class).
      * - Your validator logic should not create additional objects (e.g., lists).
      * - Your validator must handle new lines and special symbols (e.g., &&).
      * - Use only one regular expression to check the command.
diff --git a/src/main/kotlin/dev/protsenko/securityLinter/docker/inspection/run/RunCommandInspection.kt b/src/main/kotlin/dev/protsenko/securityLinter/docker/inspection/run/RunCommandInspection.kt
@@ -0,0 +1,57 @@
+// package dev.protsenko.securityLinter.docker.inspection.run
+//
+// import com.intellij.codeInspection.LocalInspectionTool
+// import com.intellij.codeInspection.ProblemHighlightType
+// import com.intellij.codeInspection.ProblemsHolder
+// import com.intellij.docker.dockerFile.parser.psi.DockerFileRunCommand
+// import com.intellij.docker.dockerFile.parser.psi.DockerFileVisitor
+// import com.intellij.openapi.extensions.ExtensionPointName
+// import com.intellij.psi.PsiElement
+// import com.intellij.psi.PsiElementVisitor
+// import dev.protsenko.securityLinter.core.SecurityPluginBundle
+// import dev.protsenko.securityLinter.docker.inspection.run.core.DockerfileRunAnalyzer
+//
+// const val MALICIOUS_RM_RF_COMMAND = "rm -rf /"
+//
+// interface DockerfileRunAnalyzer {
+//    fun handle(
+//        runCommand: String,
+//        psiElement: PsiElement,
+//        holder: ProblemsHolder,
+//    )
+// }
+//
+// class RmRfAnalyzer : DockerfileRunAnalyzer {
+//    override fun handle(
+//        runCommand: String,
+//        psiElement: PsiElement,
+//        holder: ProblemsHolder,
+//    ) {
+//        if (runCommand.contains(MALICIOUS_RM_RF_COMMAND)) {
+//            holder.registerProblem(
+//                psiElement,
+//                SecurityPluginBundle.message("inspection.text"),
+//                ProblemHighlightType.ERROR,
+//            )
+//        }
+//    }
+// }
+//
+// class RunCommandInspection : LocalInspectionTool() {
+//    override fun buildVisitor(
+//        holder: ProblemsHolder,
+//        isOnTheFly: Boolean,
+//    ): PsiElementVisitor =
+//        object : DockerFileVisitor() {
+//            override fun visitRunCommand(o: DockerFileRunCommand) {
+//                val extensionPointName =
+//                    ExtensionPointName.create<DockerfileRunAnalyzer>("dev.protsenko.security-linter.dockerFileRunAnalyzer")
+//
+//                val runCommand = o.text
+//
+//                for (extension in extensionPointName.extensions) {
+//                    extension.handle(runCommand, o, holder)
+//                }
+//            }
+//        }
+// }
diff --git a/src/main/kotlin/dev/protsenko/securityLinter/docker/inspection/run/impl/PipNoCacheDirAnalyzer.kt b/src/main/kotlin/dev/protsenko/securityLinter/docker/inspection/run/impl/PipNoCacheDirAnalyzer.kt
@@ -0,0 +1,29 @@
+package dev.protsenko.securityLinter.docker.inspection.run.impl
+
+import com.intellij.codeInspection.ProblemHighlightType
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.PsiElement
+import dev.protsenko.securityLinter.core.HtmlProblemDescriptor
+import dev.protsenko.securityLinter.core.SecurityPluginBundle
+import dev.protsenko.securityLinter.docker.checker.PipNoCacheDirValidator
+import dev.protsenko.securityLinter.docker.inspection.run.core.DockerfileRunAnalyzer
+
+class PipNoCacheDirAnalyzer : DockerfileRunAnalyzer {
+    override fun handle(
+        runCommand: String,
+        psiElement: PsiElement,
+        holder: ProblemsHolder,
+    ) {
+        if (!PipNoCacheDirValidator.isValid(runCommand)) {
+            val descriptor =
+                HtmlProblemDescriptor(
+                    psiElement,
+                    SecurityPluginBundle.message("dfs031.documentation"),
+                    SecurityPluginBundle.message("dfs031.problem-text"),
+                    ProblemHighlightType.WARNING,
+                )
+
+            holder.registerProblem(descriptor)
+        }
+    }
+}
diff --git a/src/main/resources/META-INF/plugin.xml b/src/main/resources/META-INF/plugin.xml
@@ -97,6 +97,7 @@
         <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.AptIsUsedAnalyzer"/>
         <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.UserAddAnalyzer"/>
         <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.ApkNoCacheValidatorAnalyzer"/>
+        <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.PipNoCacheDirAnalyzer"/>
 
         <dockerFileExposeAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.expose.impl.SshPortExposedAnalyzer"/>
         <dockerFileExposeAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.expose.impl.ExposedPortOutOfRangeAnalyzer"/>
diff --git a/src/main/resources/messages/SecurityPluginBundle.properties b/src/main/resources/messages/SecurityPluginBundle.properties
@@ -112,6 +112,9 @@ dfs029.useradd-missing-l-flag-high-uid='useradd' without the '-l' flag and a hig
 ### dfs030
 dfs030.documentation=simplify-your-apk-cache-clean-strategy
 dfs030.problem-text=Alpine package installation without --no-cache, consider using it to reduce image size.
+### dfs031
+dfs031.documentation=using-pip-install-without-no-cache-dir
+dfs031.problem-text=The pip package installations without --no-cache-dir, consider using it to reduce image size.
 
 ### dcs001 [only docker-compose]
 ds033.using-privileged=Using privileged: true grants full root access to the host, bypassing isolation mechanisms.
diff --git a/src/test/kotlin/dev/protsenko/securityLinter/docker/DFS031PipNoCacheDirTest.kt b/src/test/kotlin/dev/protsenko/securityLinter/docker/DFS031PipNoCacheDirTest.kt
@@ -0,0 +1,11 @@
+package dev.protsenko.securityLinter.docker
+
+import com.intellij.codeInspection.LocalInspectionTool
+import dev.protsenko.securityLinter.core.DockerHighlightingBaseTest
+import dev.protsenko.securityLinter.docker.inspection.run.DockerfileRunInspection
+
+class DFS031PipNoCacheDirTest(
+    override val ruleFolderName: String = "DFS031",
+    override val customFiles: Set<String> = emptySet(),
+    override val targetInspection: LocalInspectionTool = DockerfileRunInspection(),
+) : DockerHighlightingBaseTest()
diff --git a/src/test/kotlin/dev/protsenko/securityLinter/utils/PipNoCacheDirValidatorTest.kt b/src/test/kotlin/dev/protsenko/securityLinter/utils/PipNoCacheDirValidatorTest.kt
@@ -0,0 +1,43 @@
+package dev.protsenko.securityLinter.utils
+
+import dev.protsenko.securityLinter.docker.checker.PipNoCacheDirValidator
+import junit.framework.TestCase
+
+class PipNoCacheDirValidatorTest : TestCase() {
+    fun testValidCommands() {
+        // Commands with --no-cache-dir (secure)
+        assertTrue(PipNoCacheDirValidator.isValid("RUN pip install --no-cache-dir package"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN pip install package --no-cache-dir"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN pip install --no-cache-dir package==1.2.3"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN pip install --upgrade --no-cache-dir package"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN pip install --no-cache-dir package && echo 'done'"))
+
+        // Non-pip install commands (not applicable)
+        assertTrue(PipNoCacheDirValidator.isValid("RUN apt-get update"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN echo 'hello world'"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN npm install package"))
+    }
+
+    fun testInvalidCommands() {
+        // pip install without --no-cache-dir (security violations)
+        assertFalse(PipNoCacheDirValidator.isValid("RUN pip install package"))
+        assertFalse(PipNoCacheDirValidator.isValid("RUN pip install package==1.2.3"))
+        assertFalse(PipNoCacheDirValidator.isValid("RUN pip install --upgrade package"))
+        assertFalse(PipNoCacheDirValidator.isValid("RUN pip install package && echo 'done'"))
+        assertFalse(PipNoCacheDirValidator.isValid("RUN pip install -r requirements.txt"))
+
+        // Multi-line commands
+        assertFalse(PipNoCacheDirValidator.isValid("RUN pip install \\\n    package \\\n    another-package"))
+    }
+
+    fun testEdgeCases() {
+        // Commands that don't start with RUN
+        assertTrue(PipNoCacheDirValidator.isValid("pip install package"))
+        assertTrue(PipNoCacheDirValidator.isValid("COPY . ."))
+
+        // Empty or malformed commands
+        assertTrue(PipNoCacheDirValidator.isValid(""))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN"))
+        assertTrue(PipNoCacheDirValidator.isValid("RUN "))
+    }
+}
diff --git a/src/test/testData/docker/DFS031/Dockerfile.allowed b/src/test/testData/docker/DFS031/Dockerfile.allowed
@@ -0,0 +1,2 @@
+FROM alpine:3.13
+RUN pip install --no-cache-dir package
diff --git a/src/test/testData/docker/DFS031/Dockerfile.denied b/src/test/testData/docker/DFS031/Dockerfile.denied
@@ -0,0 +1,2 @@
+FROM alpine:3.13
+<warning descr="The pip package installations without --no-cache-dir, consider using it to reduce image size.">RUN pip install package</warning>
diff --git a/src/test/testData/docker/DS009/Dockerfile.allowed b/src/test/testData/docker/DS009/Dockerfile.allowed
@@ -1,3 +1,3 @@
 FROM alpine:3.13
-RUN  pip install --upgrade pip
+RUN  pip install --no-cache-dir --upgrade pip
 USER mike
diff --git a/src/test/testData/docker/DS034/Dockerfile-user-command-between.allowed b/src/test/testData/docker/DS034/Dockerfile-user-command-between.allowed
@@ -1,4 +1,4 @@
 FROM alpine:3.13
-RUN pip install --upgrade pip
+RUN pip install --no-cache-dir --upgrade pip
 USER mike
-RUN pip install --upgrade pip
+RUN pip install --no-cache-dir --upgrade pip
diff --git a/src/test/testData/docker/DS034/Dockerfile.allowed b/src/test/testData/docker/DS034/Dockerfile.allowed
@@ -1,3 +1,3 @@
 FROM alpine:3.13
-RUN pip install --upgrade pip
+RUN pip install --no-cache-dir --upgrade pip
 USER mike
diff --git a/src/test/testData/docker/DS034/Dockerfile.denied b/src/test/testData/docker/DS034/Dockerfile.denied
@@ -1,4 +1,4 @@
 FROM alpine:3.13
-<warning descr="Multiple consecutive 'RUN' instructions. Consider consolidation.">RUN pip install --upgrade pip</warning>
-<warning descr="Multiple consecutive 'RUN' instructions. Consider consolidation.">RUN pip install --upgrade pip</warning>
+<warning descr="Multiple consecutive 'RUN' instructions. Consider consolidation.">RUN pip install --no-cache-dir --upgrade pip</warning>
+<warning descr="Multiple consecutive 'RUN' instructions. Consider consolidation.">RUN pip install --no-cache-dir --upgrade pip</warning>
 USER mike

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+FROM alpine:3.13`
	`2`	`+RUN pip install --no-cache-dir package`