> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Healthcheck Instruction Missing (CIS 4.6)

> Ensure that health checks are executed against running containers to maintain availability

## Impact & Risk Analysis

* **Severity:** Low
* **CIS Benchmark:** CIS 4.6
* **Impact:** **Availability Loss.** An important security control is availability. Without a `HEALTHCHECK` instruction, the Docker engine cannot verify if a container is still operational. A container might be running but unresponsive (e.g., deadlocked), and the engine will not know to terminate and restart it.

## Common Misconfiguration

Failing to add the `HEALTHCHECK` instruction to Docker container images. By default, `HEALTHCHECK` is not set, meaning the Docker engine assumes the container is healthy as long as the process is running, even if it is stuck or erroring out.

## Vulnerable Example

```dockerfile theme={null}
# Vulnerable Dockerfile
FROM node:18-alpine

WORKDIR /app
COPY . .

# Missing HEALTHCHECK instruction
# If the app hangs (infinite loop), Docker won't restart it.
CMD ["node", "server.js"]

```

## Secure Example

```dockerfile theme={null}
# Secure Dockerfile
FROM node:18-alpine

WORKDIR /app
COPY . .

# Add the HEALTHCHECK instruction
# Check every 30s, timeout after 3s, and fail after 3 retries
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1

CMD ["node", "server.js"]

```

## Audit Procedure

You should run the command below to ensure that Docker images have the appropriate `HEALTHCHECK` instruction configured:

```bash theme={null}
# Inspect the image configuration
docker inspect --format='{{ .Config.Healthcheck }}' <IMAGE_ID>

```

* **Result:** This should return the configured health check parameters.
* **Fail:** If it returns `<no value>` or `nil`, the instruction is missing.

## Remediation

You should follow the Docker documentation and rebuild your container images to include the `HEALTHCHECK` instruction. This ensures that the Docker engine periodically checks the running container instances against that instruction to verify they are operational.
