Skip to main content

DL3020: Use COPY instead of ADD for files and folders

Error Security

Why This Matters

ADD has implicit behaviors that COPY does not: it auto-extracts archives and can fetch remote URLs. This unpredictability is a security concern because ADD from a URL fetches content without checksum verification, and auto-extraction can unpack unexpected content. Use COPY for straightforward file copies and explicit commands (curl/wget + tar) when you need archives or remote resources.

How to Fix

Replace ADD with COPY for local file copies

Before (incorrect)

ADD ./config /app/config

After (correct)

COPY ./config /app/config

Rule Details

Rule Code
DL3020
Severity
Error
Category
Security

Related Rules

DL3004 Error

Do not use sudo
DL3061 Error

Dockerfile should start with FROM or ARG
PG001 Error

Secrets detected in ENV or ARG
PG002 Error

Avoid piping remote scripts to shell
DL3006 Warning

Always tag the version of an image explicitly