generic.dockerfile.best-practice.prefer-copy-over-add.prefer-copy-over-add

returntocorp

Author

161

Download Count*

License

The ADD command will accept and include files from a URL. This potentially exposes the container to a man-in-the-middle attack. Since ADD can have this and other unexpected side effects, the use of the more explicit COPY command is preferred.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: prefer-copy-over-add
    severity: INFO
    languages:
      - generic
    message: The ADD command will accept and include files from a URL. This
      potentially exposes the container to a man-in-the-middle attack. Since ADD
      can have this and other unexpected side effects, the use of the more
      explicit COPY command is preferred.
    metadata:
      references:
        - https://snyk.io/blog/10-docker-image-security-best-practices/
      category: best-practice
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"
    pattern: ADD

Examples

prefer-copy-over-add.dockerfile

FROM busybox

# ruleid: prefer-copy-over-add
ADD foo bar

Short Link: https://sg.run/lj2B