ADD instead of COPY

You should use COPY instead of ADD, unless you want to extract a tar file or fetch content from a URL or remote Git repository. Note that an ADD command may be used with a (possibly compressed) tar file, which adds the risk of Zip-based vulnerabilities, like zip-slip.

Docker’s official documentation notes that users should always choose COPY over ADD since it is a more transparent and straightforward command.

Accordingly, it is advised to use a COPY command when the magic of ADD is not required. COPY copies contents from the build context or from another stage in a multi-stage build.

But for downloading a remote artifact as part of the build, like a git repository, or when a tar (possibly compressed) file needs to be uncompressed as a image layer, ADD supports both URLs and tar files. But even for remote contents, fetching in a RUN command adds more flexibility, and may lead to smaller image sizes.

Unpacking compressed tar files may be exploited for overwriting existing files in unexpected locations, due to insufficient path validation while extracting archives.

Another risk is when using ADD to download a file from a URL and that URL is compromised: your Docker container could be infected with malicious code. Therefore, it is safer to use COPY in your Dockerfiles.

The following shows --checksum option for integrity verification in the ADD command when a URL is used:

Use COPY instead of ADD.