When building a Docker image, the COPY and ADD directives are used to copy files from the build context into the image filesystem, which can result in unintended inclusion of resources that should not be part of the image.

Why is this an issue?

The COPY and ADD directives support recursive directory copies and glob patterns. When entire directories are copied or when glob patterns are used, unexpected files may be included in the image — including sensitive data such as credentials, private keys, or configuration files that are present in the build context but not intended for the container.

What is the potential impact?

If a Docker image inadvertently includes sensitive files, any party that can access the image or a running container may be able to extract that data. This can lead to credential theft, exposure of private keys, or leakage of configuration details that can be leveraged for further attacks against the application or its infrastructure.

How to fix it

Code examples

Noncompliant code example

Copying the complete context directory:

FROM ubuntu:22.04
COPY . .  # Noncompliant
CMD /run.sh

Copying multiple files using glob patterns:

FROM ubuntu:22.04
COPY ./example* /  # Noncompliant
COPY ./run.sh /
CMD /run.sh

Compliant solution

FROM ubuntu:22.04
COPY ./example1 /example1
COPY ./example2 /example2
COPY ./run.sh /
CMD /run.sh

FROM ubuntu:22.04
COPY ./example1 /example1
COPY ./example2 /example2
COPY ./run.sh /
CMD /run.sh

Resources

Documentation

• Dockerfile reference - COPY directive
• Dockerfile reference - ADD directive

Standards

• CWE - CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere