4.9 Ensure COPY is used instead of ADD in Dockerfile

Information

Use COPY instruction instead of ADD instruction in the Dockerfile.
Rationale:
COPY instruction just copies the files from the local host machine to the container file system. ADD instruction potentially could retrieve files from remote URLs and perform operations such as unpacking. Thus, ADD instruction introduces risks such as adding malicious files from URLs without scanning and unpacking procedure vulnerabilities.

Solution

Use COPY instructions in Dockerfiles.
Impact:
You would need to take care of the functionalities provided by ADD instructions such as fetching files from remote URLs.
Default Value:
Not Applicable

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|18

Plugin: Unix

Control ID: b87681f03e59d358b729ce28ac62df726b6c6ba7858f1194626999b460cccc86