Rule Information
Tags
dockerdockerfilecopyaddfile-operationsbest-practicetransparencypredictabilityanti-pattern
CWE References
Interactive Playground
Experiment with the vulnerable code and security rule below. Edit the code to see how the rule detects different vulnerability patterns.
pathfinder scan --ruleset docker/DOCKER-BP-011 --project .1
2
3
rule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
About This Rule
Understanding the vulnerability and how it is detected
Detects use of ADD instruction when COPY would suffice. ADD has implicit behavior (auto-extraction of tar archives, URL downloading) that can be surprising and create security risks.
How to Fix
Recommended remediation steps
- 1Use COPY for copying local files into the image
- 2Only use ADD when you specifically need tar auto-extraction or URL downloading
- 3For downloading files, prefer RUN with curl or wget for better control
References
External resources and documentation
Similar Rules
Explore related security rules for Docker
MEDIUM
Base Image Uses :latest Tag
Base image uses ':latest' tag or no tag (defaults to latest). This makes builds non-reproducible.
INFO
Deprecated MAINTAINER Instruction
MAINTAINER instruction is deprecated. Use LABEL org.opencontainers.image.authors instead.
LOW
apt-get Without --no-install-recommends
apt-get install without --no-install-recommends. This installs unnecessary packages, increasing image size and attack surface.
Frequently Asked Questions
Common questions about Prefer COPY Over ADD
COPY simply copies files from the build context. ADD has extra features: it auto-extracts tar archives and can download from URLs. These implicit behaviors can be surprising and introduce security risks.
Use ADD only when you need automatic tar extraction (e.g., ADD rootfs.tar.xz /). For all other cases, COPY is clearer and safer.
New feature
Get these findings posted directly on your GitHub pull requests
The Prefer COPY Over ADD rule runs in CI and posts inline review comments on the exact lines — no dashboard, no SARIF viewer.