apt-get update in a separate RUN layer
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
apt-get update runs in its own RUN, separate from install. The cached update layer can be reused while install pulls stale package versions.
Why it matters
When apt-get update runs in its own RUN, Docker can reuse that cached layer on a later build while the separate install layer pulls package versions that no longer match the cached index. This is the classic stale-cache bug that causes intermittent build failures.
How to fix it
Put apt-get update and apt-get install in a single RUN chained with && so they are cached and invalidated as a unit. Add --no-install-recommends and the apt-lists cleanup in the same RUN.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo