ADD instead of COPY
| Property | |
|---|---|
| Language |  |
| Severity |  |
Description#
Using the ADD command in Dockerfiles when only file copying is needed introduces unnecessary risk, as ADD can automatically extract tar archives and process remote URLs. This behavior may unintentionally expose the build to zip-based vulnerabilities or unwanted file content.
Impact#
An attacker could craft malicious tar files that, when extracted by ADD, overwrite critical files or place unexpected files in the image, potentially leading to code execution or privilege escalation within containers. This increases the attack surface and can compromise the security of containerized applications.
Resolution#
Use COPY instead of ADD