Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to COPY commands in dockerfiles #3389

Merged
merged 2 commits into from
Dec 9, 2024
Merged

Switch to COPY commands in dockerfiles #3389

merged 2 commits into from
Dec 9, 2024

Conversation

jamshale
Copy link
Contributor

@jamshale jamshale commented Dec 9, 2024
edited
Loading

Using the ADD instruction instead of COPY for local resources in Dockerfiles can lead to several issues, including unexpected behavior, increased complexity, and security risks. The ADD instruction has additional features that can introduce unintended side effects, such as automatically extracting compressed files and fetching remote resources. This can make the behavior of the instruction less predictable and harder to understand or even lead to security issues, if, for example, due to a typo in the source path, the ADD instruction could fetch a remote resource instead of copying a local file.

If you only need to copy local files or directories into your Docker image, it is recommended to use the COPY instruction instead. Only use the ADD instruction when you need its additional features, such as fetching remote resources or extracting compressed files. See also the rule S7026 for more information on using the ADD instruction to fetch remote resources.

Easy fix for the low rated security issues in Sonarcloud.

swcurran
swcurran approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@swcurran swcurran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fine to do. Looks like it didn’t get rid of all of the Warnings :-(

@jamshale
Copy link
Contributor Author

jamshale commented Dec 9, 2024

No there's other warnings. I'll try and look at these in another ticket. These are the easiest ones to fix and won't have any side effects.

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Dec 9, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
4 Security Hotspots

See analysis details on SonarQube Cloud

@jamshale jamshale merged commit 293f397 into openwallet-foundation:main Dec 9, 2024
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swcurran swcurran swcurran approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jamshale @swcurran