Prefer Copy Over Add

Description

This policy ensures that container images are built using commands that result in known outcomes. Specifically, it advocates for the preference of using the COPY instruction over ADD in Dockerfiles. By adhering to this policy, the predictability and transparency of the image-building process gets enhanced.

Kyverno policy

Refer to the Nirmata curated policies - prefer-copy-over-add.

Resource example

Below is an example of a Dockerfile enforcing this policy.

FROM ubuntu:latest

# Update the package repository
RUN apt-get update

WORKDIR /app

COPY . /app

EXPOSE 8080

# Example: Run a command when the container starts
CMD ["echo", "ADD Instruction is not present"]