buildkit/JSONArgsRecommended¶

JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals.

Property	Value
Severity	Info
Category	Best Practice
Default	Enabled
Auto-fix	Yes (`--fix`)

Description¶

ENTRYPOINT and CMD instructions both support shell form and exec form. When you use shell form, the executable runs as a child process to a shell, which doesn't pass signals. This means that the program running in the container can't detect OS signals like SIGTERM and SIGKILL and respond to them correctly.

Examples¶

Bad:

FROM alpine
ENTRYPOINT my-program start
# entrypoint becomes: /bin/sh -c my-program start

Good:

FROM alpine
ENTRYPOINT ["my-program", "start"]
# entrypoint becomes: my-program start

Workarounds¶

If you need shell features (variable expansion, piping, command chaining), you can:

Create a wrapper script:

FROM alpine
RUN apk add bash
COPY --chmod=755 <<EOT /entrypoint.sh
#!/usr/bin/env bash
set -e
my-program start
EOT
ENTRYPOINT ["/entrypoint.sh"]

Explicitly specify the shell (suppresses the warning):

FROM alpine
RUN apk add bash
SHELL ["/bin/bash", "-c"]
ENTRYPOINT echo "hello world"

Auto-fix¶

Fix safety: FixSuggestion -- converts shell form to JSON array form.

Before:

CMD echo hello world

After (with --fix):

CMD ["echo", "hello", "world"]

tally/invalid-json-form -- detects instructions that attempt JSON exec-form but have invalid JSON (e.g., unquoted strings, single quotes). BuildKit silently falls back to shell-form for these, so both rules fire on the same instruction. tally's supersession processor suppresses the lower-severity JSONArgsRecommended (info) when invalid-json-form (error) is present at the same line.

Supersedes¶

hadolint/DL3025

Reference¶

buildkit/JSONArgsRecommended