Ahmed Abdulrahman's Desk

ADD and COPY both docker commands that serve similar purposes. Although there are slight differences in their functionality, but they essentially perform the same task that lets you copy files from a specific location into a Docker image.

How they differ

ADD Command

It copies new files or directories from <src> and adds them to the filesystem of the container at the path <dest>.

The syntax look for this command:

1ADD <src> … <dest>

It also have two more features:

Copy and automatically auto-extract local-only compressed files into given destination

1ADD file.tar.xz /destination/path

Download and copy files from remote URL to the given destination:

1ADD http://www.your-source.file/url  /destination/path

COPY Command

Unlike ADD, COPYcommand aims to meet the majority of the copy files into container use cases without any surprises:

It doesn’t support URLs as a <src> argument so you can’t use it to download files from remote locations.
It doesn’t give any special treatment to archives. So, if you want to COPY an archive file it will land in the container exactly as it appears in the build context without extracting it.

Why COPY is more secure

Remote URLs should be declared over a secure TLS connection and their origins need to be validated as well to prevent man-in-the-middle attacks.
COPY allows separating the addition of an archive from remote locations and unpacking it as different layers, which optimizes the image cache. If remote files are needed, combining all of them into one RUN command that downloads, extracts, and cleans-up afterwards optimizes a single layer operation over several layers that would be required if ADD were used.
ADD automatically extracts local archives to the destination directory. While this may be acceptable, it adds the risk of Zip Bombs and Zip Slip vulnerabilities that could then be triggered automatically.