Avoid COPY . . in Dockerfile

#docker #security

TL;DR

Use COPY src src.

Security Consideration

COPY . . will place credentials in container by default. You will need to configure .dockerignore to avoid this. However, managing .dockerignore is tedious and easy to make mistake. This is just like .gitignore.

Whitelist copying like COPY src src and copy build build never cause this problem.

Layer efficiency

The files required by a command are different by step. For example, npm install requires only package.json and package-lock.json. Overwriting them in a later step by COPY . . may cause a consistency problem. In addition, not the builder container but only the runner container requires the files under src in Node.js, Ruby, Python, and so on with builder pattern.

Conclusion

I suggest to use whitelist copying to avoid some security problems. Build time will become shorter as a bonus.

Top comments (1)

Andrei Dascalu • Jun 13 '21

This is misleading.

It only refers to js projects that use package files in root folder - it's not meaningful generally
Copying package or lock later is no issue unless you modify them during the build, which you shouldn't, otherwise you're intentionally breaking one of the main reasons to have containers: consistency
It's not like copying a folder prevents anything by itself. You could have credentials in src. You shouldn't but you could.
You shouldn't have credentials in repository.
You should maintain a dockerignore just as you should maintain a gitignore. It's tedious (and so are many things), but doesn't mean it's to be skipped.

DEV Community

Avoid COPY . . in Dockerfile

TL;DR

Security Consideration

Layer efficiency

Conclusion

Top comments (1)

Read next

Security: Why the "XZ backdoor" is worrying

Frappe Docker Development Setup Guide for Custom Apps

Frustrating Docker Desktop on Mac Containerd issue

Docker compose, orchestrating and automating services