SonarSource · rudy-regazzoni-sonarsource · Jan 8, 2025 · Jan 7, 2025 · Jan 7, 2025 · Jan 7, 2025
diff --git a/rules/S7019/docker/rule.adoc b/rules/S7019/docker/rule.adoc
@@ -10,6 +10,15 @@ This can cause problems when trying to gracefully stop containers because the ma
 Moreover, the exec form provides more control and predictability over the execution of the command.
 It does not invoke a command shell, which means it does not have the potential side effects of shell processing.
 
+Although, the exec form does not allow shell features such as variable expansion, piping (`|`) and command chaining (`&&`, `||`, `;`).
+In case you need to use these features, there is few alternatives:
+- create a wrapper script
+- explicitly specify the shell with the `SHELL` instruction before the `CMD` or `ENTRYPOINT` instruction
+
+=== Exceptions
+
+As mentioned above, this rule will not raise an issue if the `SHELL` instruction is used before the `CMD` or `ENTRYPOINT` instruction, as we consider this is a conscious decision.
+
 == How to fix it
 
 === Code examples
@@ -22,6 +31,22 @@ FROM scratch
 ENTRYPOINT echo "Welcome!"
 ----
 
+[source,docker,diff-id=2,diff-type=noncompliant]
+----
+FROM scratch
+ENTRYPOINT echo "Long script with chaining commands" \
+  && echo "Welcome!" \
+  && echo "Goodbye"
+----
+
+[source,docker,diff-id=3,diff-type=noncompliant]
+----
+FROM scratch
+ENTRYPOINT echo "Long script with chaining commands" \
+  && echo "Welcome!" \
+  && echo "Goodbye"
+----
+
 ==== Compliant solution
 
 [source,docker,diff-id=1,diff-type=compliant]
@@ -30,6 +55,21 @@ FROM scratch
 ENTRYPOINT ["echo", "Welcome!"]
 ----
 
+[source,docker,diff-id=2,diff-type=compliant]
+----
+FROM scratch
+SHELL ["/bin/bash", "-c"]
+ENTRYPOINT echo "Long script with chaining commands" \
+  && echo "Welcome!" \
+  && echo "Goodbye"
+----
+
+[source,docker,diff-id=3,diff-type=compliant]
+----
+FROM scratch
+ENTRYPOINT ["/entrypoint.sh"]
+----
+
 == Resources
 === Documentation