hadolint/DL4006¶

Set the SHELL option -o pipefail before RUN with a pipe in.

Property	Value
Severity	Warning
Category	Best Practice
Default	Enabled
Auto-fix	Yes (`--fix`)

Description¶

Some RUN commands depend on the ability to pipe the output of one command into another using the pipe character (|). Docker executes these commands using /bin/sh -c, which only evaluates the exit code of the last operation in the pipe.

Since there are some shells that do not accept the -o pipefail option, it is not enough to add set -o pipefail inside the RUN instruction. Therefore, we recommend always explicitly adding the SHELL instruction before using pipes in RUN.

Examples¶

Problematic code¶

RUN wget -O - https://some.site | wc -l > /number

Correct code¶

SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

or for Alpine/busybox:

SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
RUN wget -O - https://some.site | wc -l > /number

Auto-fix¶

Inserts a SHELL ["/bin/bash", "-o", "pipefail", "-c"] instruction before the first RUN with a pipe in each stage. Only generated once per stage since SHELL persists.

# Before
RUN cmd1 | cmd2 | cmd3

# After (with --fix)
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN cmd1 | cmd2 | cmd3

Reference¶

hadolint/DL4006