ADD Command used instead of COPY
No violationsstackroxlowbuilddeployAlert on deployments using an ADD command
- Rationale
- ADD incorporates a broader set of capabilities than COPY, including the ability to specify URLs as the source argument and automatic unpacking of compressed files onto the local filesystem. The effects of ADD can be unpredictable and can lead to larger images. Unless ADD's additional capabilities are required, COPY is recommended.
- Remediation
- Replace ADD with COPY when adding new files to the image. Per https://docs.docker.com/develop/develop-images/dockerfile_best-practices, it is better to use RUN curl instead of ADD if you need to access a URL.
CategoriesDevOps Best PracticesDocker CIS
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.25A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
- SOC 2 2017 TSC
- CC8.1
Generated artifacts
1 of 5 targets supportedadd-command-used-instead-of-copy.rego
# ADD Command used instead of COPY (trivy)
# severity: low
# source: stackrox/80267b36-2182-4fb3-8b53-e80c031f4ad8
package trivy.add_command_used_instead_of_copy
deny[msg] {
# rule 1
some inst
inst := input.Misconfigurations[_].Message
contains(inst, {"ADD=.*"}[_])
msg := "[low] ADD Command used instead of COPY: Alert on deployments using an ADD command"
}
IR (canonical)
{
"id": "80267b36-2182-4fb3-8b53-e80c031f4ad8",
"name": "ADD Command used instead of COPY",
"description": "Alert on deployments using an ADD command",
"rationale": "ADD incorporates a broader set of capabilities than COPY, including the ability to specify URLs as the source argument and automatic unpacking of compressed files onto the local filesystem. The effects of ADD can be unpredictable and can lead to larger images. Unless ADD's additional capabilities are required, COPY is recommended.",
"remediation": "Replace ADD with COPY when adding new files to the image. Per https://docs.docker.com/develop/develop-images/dockerfile_best-practices, it is better to use RUN curl instead of ADD if you need to access a URL.",
"severity": "low",
"categories": [
"DevOps Best Practices",
"Docker CIS"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "dockerfile-line",
"values": [
"ADD=.*"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "80267b36-2182-4fb3-8b53-e80c031f4ad8",
"name": "ADD Command used instead of COPY",
"description": "Alert on deployments using an ADD command",
"rationale": "ADD incorporates a broader set of capabilities than COPY, including the ability to specify URLs as the source argument and automatic unpacking of compressed files onto the local filesystem. The effects of ADD can be unpredictable and can lead to larger images. Unless ADD's additional capabilities are required, COPY is recommended.",
"remediation": "Replace ADD with COPY when adding new files to the image. Per https://docs.docker.com/develop/develop-images/dockerfile_best-practices, it is better to use RUN curl instead of ADD if you need to access a URL.",
"disabled": true,
"categories": [
"DevOps Best Practices",
"Docker CIS"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "LOW_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Dockerfile Line",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "ADD=.*"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}