generic.dockerfile.correctness.copy-from-own-alias.copy-from-own-alias

Verifed by r2c

Community Favorite

semgrep

Author

126,601

Download Count*

LGPL Commons Clause

License

COPY instructions cannot copy from its own alias. The '$REF' alias is used before switching to a new image. If you meant to switch to a new image, include a new 'FROM' statement. Otherwise, remove the '--from=$REF' from the COPY statement.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: copy-from-own-alias
    severity: ERROR
    languages:
      - generic
    message: COPY instructions cannot copy from its own alias. The '$REF' alias is
      used before switching to a new image. If you meant to switch to a new
      image, include a new 'FROM' statement. Otherwise, remove the '--from=$REF'
      from the COPY statement.
    metadata:
      source-rule-url: https://github.com/hadolint/hadolint/wiki/DL3023
      references:
        - https://github.com/hadolint/hadolint/wiki/DL3023
      category: correctness
      technology:
        - dockerfile
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    paths:
      include:
        - "*dockerfile*"
        - "*Dockerfile*"
    pattern-either:
      - pattern: |
          FROM $IMAGE:$TAG as $REF
          ...
          COPY --from=$REF
          ...
          FROM
      - pattern: |
          FROM $IMAGE:$TAG AS $REF
          ...
          COPY --from=$REF
          ...
          FROM

Examples

copy-from-own-alias.dockerfile

# cf. https://github.com/hadolint/hadolint/wiki/DL3023

# ruleid: copy-from-own-alias
FROM debian:jesse as build

RUN stuff

COPY --from=build some stuff ./

# ok: copy-from-own-alias
FROM debian:jesse AS other

COPY some stuff ./

Short Link: https://sg.run/1Z6Q