Navigate back to the homepage

ADD vs COPY in Docker

In this post, we'll learn what are ADD and COPY commands in docker, How they differ, and why COPY is more secure than ADD.

Ahmed Abdulrahman
Mar 17th, 2020 • ☕️ 1 min read

ADD and COPY both docker commands that serve similar purposes. Although there are slight differences in their functionality, but they essentially perform the same task that lets you copy files from a specific location into a Docker image.

How they differ

ADD Command

It copies new files or directories from <src> and adds them to the filesystem of the container at the path <dest>.

The syntax look for this command:

1ADD <src><dest>

It also have two more features:

  • Copy and automatically auto-extract local-only compressed files into given destination
1ADD file.tar.xz /destination/path
  • Download and copy files from remote URL to the given destination:
1ADD http://www.your-source.file/url /destination/path

COPY Command

Unlike ADD, COPYcommand aims to meet the majority of the copy files into container use cases without any surprises:

  • It doesn’t support URLs as a <src> argument so you can’t use it to download files from remote locations.
  • It doesn’t give any special treatment to archives. So, if you want to COPY an archive file it will land in the container exactly as it appears in the build context without extracting it.

Why COPY is more secure

  • Remote URLs should be declared over a secure TLS connection and their origins need to be validated as well to prevent man-in-the-middle attacks.
  • COPY allows separating the addition of an archive from remote locations and unpacking it as different layers, which optimizes the image cache. If remote files are needed, combining all of them into one RUN command that downloads, extracts, and cleans-up afterwards optimizes a single layer operation over several layers that would be required if ADD were used.
  • ADD automatically extracts local archives to the destination directory. While this may be acceptable, it adds the risk of Zip Bombs and Zip Slip vulnerabilities that could then be triggered automatically.

Which to Use?

Well, according to docker’s official documentation, COPY should always be the your go-to command as it is more transparent than ADD.

That’s it!

If you have find this useful, drop a coffee ☕️ tip or support me for less than the cost of a coffee

Thanks for reading!

Discuss on TwitterFollow @_ahmed_ab

Other things I've written

How to install Docker on macOS

Beginner’s guide to install and run Docker on macOS.

Feb 10th, 2020 · 1 min read

Clone any Private or Public repo from Organization

Have you ever wanted to clone all repos under your account or specific organization or even from the company where you work?

Feb 3rd, 2020 · 1 min read

© 2018–2020
Ahmed Abdulrahman


Link to $ to $ to $