DL4006 - Set the SHELL option -o pipefail before RUN with a pipe in it

Description

Set the SHELL option -o pipefail before a RUN instruction containing a pipe. Without pipefail, errors in piped commands might be masked. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check.

Goals

• Detect failures in any part of a pipeline.
• Encourage explicit shell configuration when using pipes.

Specification

1. Maintain a pipefail flag per stage, resetting it on each FROM instruction.
2. When a SHELL instruction is encountered:
3. If the shell is pwsh, powershell, or cmd, set pipefail to true (no requirement).
4. Otherwise set pipefail to true only if the shell name is one of /bin/bash, /bin/zsh, /bin/ash, bash, zsh, or ash and the instruction includes -o pipefail; otherwise set it to false.
5. For each RUN instruction:
6. If pipefail is false and the command contains a | character, emit DL4006.
7. Report the line of the offending RUN with the message Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check.

(c) 2025 Asymmetric Effort, LLC. scaldwell@asymmetric-effort.com