ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S7029/docker/rule.adoc

54 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

In Dockerfiles, it is recommended to use the COPY instruction over the ADD instruction for copying local resources. The COPY instruction is more straightforward and less prone to errors, making it a better choice for copying local files and directories into a Docker image.
== Why is this an issue?
Using the ADD instruction instead of COPY for local resources in Dockerfiles can lead to several issues, including unexpected behavior, increased complexity, and security risks. The ADD instruction has additional features that can introduce unintended side effects, such as automatically extracting compressed files and fetching remote resources. This can make the behavior of the instruction less predictable and harder to understand or even lead to security issues, if, for example, due to a typo in the source path, the ADD instruction could fetch a remote resource instead of copying a local file.
If you only need to copy local files or directories into your Docker image, it is recommended to use the COPY instruction instead. Only use the ADD instruction when you need its additional features, such as fetching remote resources or extracting compressed files. See also the rule S7026 for more information on using the ADD instruction to fetch remote resources.
== How to fix it
=== Code examples
==== Noncompliant code example
[source,docker,diff-id=1,diff-type=noncompliant]
----
FROM ubuntu:20.04
ADD ./app /app
----
==== Compliant solution
[source,docker,diff-id=1,diff-type=compliant]
----
FROM ubuntu:20.04
COPY ./app /app
----
== Resources
=== Documentation
* S7026 - Use ADD instruction to retrieve remote resources
* Docker Docs - https://docs.docker.com/build/building/best-practices/#add-or-copy[Building best practices]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Replace this ADD instruction with a COPY instruction.
=== Highlighting
Highlight the ADD instruction.
'''
== Comments And Links
(visible only on this page)
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink