2.0.11 Added a new inspection:

- Use apk add with --no-cache

Author: Dmitry Protsenko

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 # Cloud (IaC) Security Changelog
 
+## [2.0.11] 30-08-2025
+
+### Added
+- Docker Inspection: [Use apk add with --no-cache](https://protsenko.dev/infrastructure-security/simplify-your-apk-cache-clean-strategy/)
+
+Read more about every implemented [Docker Best Practices](https://protsenko.dev/docker-best-practices-to-secure-and-optimize-your-containers/) in the plugin.
+
 ## [2.0.10] 23-08-2025
 
 ### Changed

gradle.properties

@@ -1,7 +1,7 @@
 pluginGroup = dev.protsenko.securityLinter
 pluginName = Cloud (IaC) Security
 pluginRepositoryUrl = https://github.com/NordCoderd/cloud-security-plugin
-pluginVersion = 2.0.10
+pluginVersion = 2.0.11
 
 # Supported build number ranges and IntelliJ Platform versions -> https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 pluginSinceBuild = 231

src/main/kotlin/dev/protsenko/securityLinter/docker/checker/ApkNoCacheValidator.kt

@@ -0,0 +1,13 @@
+package dev.protsenko.securityLinter.docker.checker
+
+import dev.protsenko.securityLinter.docker.checker.core.RunCommandValidator
+
+object ApkNoCacheValidator : RunCommandValidator {
+    private val VALID_COMMAND_PATTERN =
+        Regex(
+            "^\\s*RUN(?:(?!.*apk add)|(?=.*--no-cache))(?!.*apk update)(?!.*rm\\s+.*?/var/cache/apk/\\*).*$",
+            RegexOption.DOT_MATCHES_ALL,
+        )
+
+    override fun isValid(command: String): Boolean = VALID_COMMAND_PATTERN.matches(command)
+}

src/main/kotlin/dev/protsenko/securityLinter/docker/inspection/run/impl/ApkNoCacheValidatorAnalyzer.kt

@@ -0,0 +1,29 @@
+package dev.protsenko.securityLinter.docker.inspection.run.impl
+
+import com.intellij.codeInspection.ProblemHighlightType
+import com.intellij.codeInspection.ProblemsHolder
+import com.intellij.psi.PsiElement
+import dev.protsenko.securityLinter.core.HtmlProblemDescriptor
+import dev.protsenko.securityLinter.core.SecurityPluginBundle
+import dev.protsenko.securityLinter.docker.checker.ApkNoCacheValidator
+import dev.protsenko.securityLinter.docker.inspection.run.core.DockerfileRunAnalyzer
+
+class ApkNoCacheValidatorAnalyzer : DockerfileRunAnalyzer {
+    override fun handle(
+        runCommand: String,
+        psiElement: PsiElement,
+        holder: ProblemsHolder,
+    ) {
+        if (!ApkNoCacheValidator.isValid(runCommand)) {
+            val descriptor =
+                HtmlProblemDescriptor(
+                    psiElement,
+                    SecurityPluginBundle.message("dfs030.documentation"),
+                    SecurityPluginBundle.message("dfs030.problem-text"),
+                    ProblemHighlightType.WARNING,
+                )
+
+            holder.registerProblem(descriptor)
+        }
+    }
+}

src/main/resources/META-INF/plugin.xml

@@ -96,6 +96,7 @@
         <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.ZypperInstallWithoutCleanAnalyzer"/>
         <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.AptIsUsedAnalyzer"/>
         <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.UserAddAnalyzer"/>
+        <dockerFileRunAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.run.impl.ApkNoCacheValidatorAnalyzer"/>
 
         <dockerFileExposeAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.expose.impl.SshPortExposedAnalyzer"/>
         <dockerFileExposeAnalyzer implementation="dev.protsenko.securityLinter.docker.inspection.expose.impl.ExposedPortOutOfRangeAnalyzer"/>

src/main/resources/messages/SecurityPluginBundle.properties

@@ -109,6 +109,9 @@ dfs028.multiple-consecutive-run-commands=Multiple consecutive 'RUN' instructions
 ### ds035 -> dfs029
 dfs029.documentation=useradd-missing-l-flag-high-uid
 dfs029.useradd-missing-l-flag-high-uid='useradd' without the '-l' flag and a high UID may lead to an excessively large image.
+### dfs030
+dfs030.documentation=simplify-your-apk-cache-clean-strategy
+dfs030.problem-text=Alpine package installation without --no-cache, consider using it to reduce image size.
 
 ### dcs001 [only docker-compose]
 ds033.using-privileged=Using privileged: true grants full root access to the host, bypassing isolation mechanisms.

src/test/kotlin/dev/protsenko/securityLinter/docker/DFS030ApkNoCacheTest.kt

@@ -0,0 +1,11 @@
+package dev.protsenko.securityLinter.docker
+
+import com.intellij.codeInspection.LocalInspectionTool
+import dev.protsenko.securityLinter.core.DockerHighlightingBaseTest
+import dev.protsenko.securityLinter.docker.inspection.run.DockerfileRunInspection
+
+class DFS030ApkNoCacheTest(
+    override val ruleFolderName: String = "DFS030",
+    override val customFiles: Set<String> = emptySet(),
+    override val targetInspection: LocalInspectionTool = DockerfileRunInspection(),
+) : DockerHighlightingBaseTest()

src/test/kotlin/dev/protsenko/securityLinter/utils/ApkNoCacheValidatorTest.kt

@@ -0,0 +1,37 @@
+package dev.protsenko.securityLinter.utils
+
+import dev.protsenko.securityLinter.docker.checker.ApkNoCacheValidator
+import junit.framework.TestCase
+
+class ApkNoCacheApkNoCacheValidatorTest : TestCase() {
+    fun testValidCommands() {
+        assertTrue(ApkNoCacheValidator.isValid("RUN echo 'Hello World'"))
+        assertTrue(ApkNoCacheValidator.isValid("RUN apk add --no-cache git"))
+        assertTrue(ApkNoCacheValidator.isValid("RUN apk --no-cache add git"))
+        val multiLineValid =
+            """
+            RUN apk add --no-cache --virtual .build-deps gcc musl-dev && \
+                ./configure && \
+                make && make install
+            """.trimIndent()
+        assertTrue(ApkNoCacheValidator.isValid(multiLineValid))
+        assertTrue(ApkNoCacheValidator.isValid("RUN ./autoupdate-script.sh"))
+        assertTrue(ApkNoCacheValidator.isValid(" RUN apk add --no-cache git"))
+    }
+
+    fun testInvalidCommands() {
+        assertFalse(ApkNoCacheValidator.isValid("RUN apk add git"))
+        assertFalse(ApkNoCacheValidator.isValid("RUN apk update && apk add git"))
+        assertFalse(ApkNoCacheValidator.isValid("RUN apk update"))
+        assertFalse(ApkNoCacheValidator.isValid("RUN apk add git && rm -rf /var/cache/apk/*"))
+        assertFalse(ApkNoCacheValidator.isValid("RUN apk add git && rm   -rf   /var/cache/apk/*"))
+        val multiLineInvalid =
+            """
+            RUN apk add gcc musl-dev && \
+                ./configure
+            """.trimIndent()
+        assertFalse(ApkNoCacheValidator.isValid(multiLineInvalid))
+        assertFalse(ApkNoCacheValidator.isValid("apk add --no-cache git"))
+        assertFalse(ApkNoCacheValidator.isValid(""))
+    }
+}

src/test/testData/docker/DFS030/Dockerfile.allowed

@@ -0,0 +1,2 @@
+FROM alpine:3.13
+RUN apk add --no-cache git

src/test/testData/docker/DFS030/Dockerfile.denied

@@ -0,0 +1,3 @@
+FROM alpine:3.13
+<warning descr="Alpine package installation without --no-cache, consider using it to reduce image size."><warning descr="Multiple consecutive 'RUN' instructions. Consider consolidation.">RUN apk add git</warning></warning>
+<warning descr="Alpine package installation without --no-cache, consider using it to reduce image size."><warning descr="Multiple consecutive 'RUN' instructions. Consider consolidation.">RUN apk add git && rm -rf /var/cache/apk/*</warning></warning>