Ensure that COPY is used instead of ADD in Dockerfiles : iCompaas Support

Profile Applicability:

Level 1

Description:

You should use the COPY instruction instead of the ADD instruction in the Dockerfile.

Rationale:

The COPY instruction simply copies files from the local host machine to the container file system. The ADD instruction can retrieve files from remote URLs and perform operations like unpacking them. Using ADD introduces security risks, such as retrieving potentially malicious files from URLs without scanning them, or vulnerabilities related to decompressing files.

Impact:

Pros:

Using COPY ensures more predictable behavior and reduces security risks.
Prevents unintentional file downloads or decompression vulnerabilities.

Cons:

If your application requires functionality from the ADD instruction (such as downloading files from a URL), this might require changes to your Dockerfile.

Default Value:

Not applicable.

Pre-requisites:

Ensure that you have access to the Dockerfile and can modify its instructions.

Remediation:

Test Plan:

Using AWS Console:

Review the Dockerfile for the image to verify that ADD is not used. If it is, replace it with COPY.

Using AWS CLI:

Run the following command to check the image history:
```
docker history <IMAGE ID>
```
Review the output to see if the ADD instruction is used.

Implementation Plan:

Using AWS Console:

Edit the Dockerfile to replace any instances of ADD with COPY. For example:

# Replace this:
ADD https://example.com/file.tar.gz /path/in/container
# With this:
COPY file.tar.gz /path/in/container

Rebuild the image to apply the changes:
```
docker build -t <IMAGE_NAME> .
```

Using AWS CLI:

If using SSM to deploy changes, run the following command to edit the Dockerfile:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \"s/ADD/COPY/g\" Dockerfile && docker build -t <IMAGE_NAME> ."]'

Backout Plan:

Using AWS Console:

Revert the Dockerfile to its previous state if the changes caused issues.
Use ADD instead of COPY if required by the application.

Using AWS CLI:

Revert the changes in the Dockerfile by using the original file:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["git checkout Dockerfile && docker build -t <IMAGE_NAME> ."]'

References:

Dockerfile Best Practices: ADD vs COPY

Ensure that COPY is used instead of ADD in Dockerfiles Print

Related Articles