COPY both docker commands that serve similar purposes. Although there are slight differences in their functionality, but they essentially perform the same task that lets you
copy files from a specific location into a Docker image.
How they differ
It copies new files or directories from
<src> and adds them to the filesystem of the container at the path
The syntax look for this command:
1ADD <src> … <dest>
It also have two more features:
- Copy and automatically auto-extract local-only compressed files into given destination
1ADD file.tar.xz /destination/path
- Download and copy files from remote URL to the given destination:
1ADD http://www.your-source.file/url /destination/path
COPYcommand aims to meet the majority of the copy files into container use cases without any surprises:
- It doesn’t support URLs as a
<src>argument so you can’t use it to download files from remote locations.
- It doesn’t give any special treatment to archives. So, if you want to
COPYan archive file it will land in the container exactly as it appears in the build context without extracting it.
Why COPY is more secure
- Remote URLs should be declared over a secure TLS connection and their origins need to be validated as well to prevent man-in-the-middle attacks.
COPYallows separating the addition of an archive from remote locations and unpacking it as different layers, which optimizes the image cache. If remote files are needed, combining all of them into one RUN command that downloads, extracts, and cleans-up afterwards optimizes a single layer operation over several layers that would be required if
ADDautomatically extracts local archives to the destination directory. While this may be acceptable, it adds the risk of Zip Bombs and Zip Slip vulnerabilities that could then be triggered automatically.
Which to Use?
Well, according to docker’s official documentation,
COPY should always be the your go-to command as it is more transparent than
Thanks for reading!