Package managers should not install recommended packages automatically in Dockerfiles.

Why is this an issue?

When apt, apt-get, or aptitude install a package without the --no-install-recommends flag (or --without-recommends for aptitude), the package manager also installs all packages listed as recommendations by the requested package. Recommended packages are often not required for the container’s primary purpose, increase image size, and make the installed dependency set harder to reason about. Installing only strictly required packages keeps images lean, reproducible, and easier to maintain.

What is the potential impact?

Unnecessary packages may contain unidentified vulnerabilities or malicious code, expanding the attack surface of the container.

Larger images also have a direct financial impact: they consume more storage in container registries and increase data transfer costs when pulling images, both of which scale with the number of deployments.

How to fix it

Code examples

Noncompliant code example

FROM ubuntu:22.04

RUN apt install -y build-essential # Noncompliant

RUN apt-get install -y build-essential # Noncompliant

RUN aptitude install -y build-essential # Noncompliant

Compliant solution

FROM ubuntu:22.04

RUN apt --no-install-recommends install -y build-essential

RUN apt-get --no-install-recommends install -y build-essential

RUN aptitude --without-recommends install -y build-essential

Resources

Documentation

• Debian Documentation - Binary Dependencies

Articles & blog posts

• Ubuntu Blog - Container size reduction

Standards

• CWE - CWE-1104 - Use of Unmaintained Third-Party Components
• CWE - CWE-1395 - Dependency on Vulnerable Third-Party Component