DL3040 - dnf clean all missing after dnf command

Purpose

Prevent leftover dnf or microdnf metadata from inflating image size.

Scope

Applies to any RUN instruction invoking dnf or microdnf.

Rule Statement (normative)

Emit DL3040 when a RUN instruction performs a modifying dnf/microdnf operation and does not clean the package cache in the same instruction.

Message: dnf clean all missing after dnf command.

Rationale

Package managers leave metadata in /var/cache/dnf after install or update operations. Removing it keeps layers small and reproducible.

Detection Logic (high-level)

  1. Split each RUN command into segments.
  2. Track the last modifying dnf/microdnf segment (install, upgrade, update, groupinstall, groupupdate, distrosync, autoremove, remove).
  3. Track cleanup segments that follow (dnf clean all, microdnf clean all, rm -rf /var/cache/dnf, or find /var/cache/dnf -delete).
  4. Report DL3040 when the last cleanup occurs before the last modifying operation or is absent.

Severity

info

Examples

Non-compliant

Dockerfile RUN dnf install -y jq

Compliant

Dockerfile RUN dnf install -y jq && dnf clean all

Compliant (rm cleanup)

Dockerfile RUN microdnf install -y jq && rm -rf /var/cache/dnf

(c) 2025 Asymmetric Effort, LLC. scaldwell@asymmetric-effort.com Asymmetric Effort logo