False Positive - DS0017 - Update should always be followed by install - Heredoc problem?

[mastacheata]

IDs

AVD-DS-0017

Description

I get a false-positive for AVD-DS0017 The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

The Dockerfile in question has both of these commands within the same RUN block, but the individual commands are separated only by newlines within a heredoc block. If I add a ; or && in between the commands the scanner properly identifies the commands and doesn't report the issue.
It appears there is a problem with how multiple commands inside a heredoc block are counted.

Reproduction Steps

1. Create a Dockefile with Heredoc RUN command that updates and installs packages (example at the end)
2. Run the trivy misconfig scanner against the Dockerfile
3. The Scanner will show at least 1 False-Positive HIGH-Level Misconfiguration Issue AVD-DS-0017
4. The Scanner will also show two more Misconfiguration Issues that are to be expected for the minimal example, but will be ignored for keeping the example focused on the actual issue.

Minimal Dockerfile:

FROM debian:trixie

RUN <<EOF
apt-get update
apt-get install --no-install-recommends -y gettext
EOF

Minimal no-False-Positive-Dockefile:

FROM debian:trixie

RUN <<EOF
apt-get update;
apt-get install --no-install-recommends -y gettext
EOF

Target

Container Image

Scanner

Misconfiguration

Target OS

No response

Debug Output

$ trivy fs --scanners misconfig .\Dockerfile --debug
2025-08-12T15:23:38+02:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-12T15:23:38+02:00       DEBUG   Cache dir       dir="C:\\Users\\BenediktBauer\\AppData\\Local\\trivy"
2025-08-12T15:23:38+02:00       DEBUG   Cache dir       dir="C:\\Users\\BenediktBauer\\AppData\\Local\\trivy"
2025-08-12T15:23:38+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-12T15:23:38+02:00       DEBUG   Ignore statuses statuses=[]
2025-08-12T15:23:38+02:00       INFO    [misconfig] Misconfiguration scanning is enabled
2025-08-12T15:23:38+02:00       DEBUG   [notification] Running version check
2025-08-12T15:23:38+02:00       DEBUG   [misconfig] Checks successfully loaded from disk
2025-08-12T15:23:38+02:00       DEBUG   [notification] Version check completed  latest_version="0.65.0"
2025-08-12T15:23:38+02:00       DEBUG   [rego] Overriding filesystem for checks
2025-08-12T15:23:38+02:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2025-08-12T15:23:38+02:00       DEBUG   [rego] Embedded checks are loaded       count=519
2025-08-12T15:23:38+02:00       DEBUG   [rego] Checks from disk are loaded      count=536
2025-08-12T15:23:38+02:00       DEBUG   [rego] Overriding filesystem for data
2025-08-12T15:23:39+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-08-12T15:23:39+02:00       DEBUG   Initializing scan cache...      type="memory"
2025-08-12T15:23:39+02:00       DEBUG   [fs] Analyzing...       root="Dockerfile"
2025-08-12T15:23:39+02:00       DEBUG   Created process-specific temp directory path="C:\\Users\\BENEDI~1\\AppData\\Local\\Temp\\trivy-124820"
2025-08-12T15:23:39+02:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Dockerfile"
2025-08-12T15:23:39+02:00       DEBUG   [dockerfile scanner] Scanning files...  count=1
2025-08-12T15:23:39+02:00       DEBUG   [rego] Scanning inputs  count=1
2025-08-12T15:23:39+02:00       DEBUG   OS is not detected.
2025-08-12T15:23:39+02:00       INFO    Detected config files   num=1
2025-08-12T15:23:39+02:00       DEBUG   Scanned config file     file_path="Dockerfile"
2025-08-12T15:23:39+02:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-08-12T15:23:39+02:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌────────────┬────────────┬───────────────────┐
│   Target   │    Type    │ Misconfigurations │
├────────────┼────────────┼───────────────────┤
│ Dockerfile │ dockerfile │         3         │
└────────────┴────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


Dockerfile (dockerfile)
=======================
Tests: 27 (SUCCESSES: 24, FAILURES: 3)
Failures: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


AVD-DS-0017 (HIGH): The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
════════════════════════════════════════
The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.

See https://avd.aquasec.com/misconfig/ds017
────────────────────────────────────────
 Dockerfile:4-7
────────────────────────────────────────
   4 ┌ RUN <<EOF
   5 │ apt-get update
   6 │ apt-get install --no-install-recommends -y gettext
   7 └ EOF
────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────


2025-08-12T15:23:39+02:00       DEBUG   Cleaning up temp directory      path="C:\\Users\\BENEDI~1\\AppData\\Local\\Temp\\trivy-124820"

Version

$ trivy --version
Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-07-30 18:26:27.604804272 +0000 UTC
  NextUpdate: 2025-07-31 18:26:27.604803902 +0000 UTC
  DownloadedAt: 2025-07-30 20:58:43.2357085 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-07-30 00:56:06.142969763 +0000 UTC
  NextUpdate: 2025-08-02 00:56:06.142969412 +0000 UTC
  DownloadedAt: 2025-07-30 21:00:11.2970819 +0000 UTC
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-08-12 12:59:32.2781014 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

@nikpivkin can you take a look?

[nikpivkin]

Track #9340