Docker Copy Entire Context
Description
Detects insecure Docker COPY/ADD commands that expose the entire build context directory. This is a security risk because it can inadvertently include sensitive files, credentials, and unnecessary content in the container image, increasing the attack surface.
Detection Strategy
• Look for Docker COPY or ADD commands at the start of a line
• Check if the command uses patterns like '. .' or './* /' that copy entire directories
• Flag lines containing these risky copy patterns as vulnerable
• Report each instance where the entire context directory could be exposed
Vulnerable code example
# Base image
FROM ubuntu:latest
# Vulnerable: Wildcard COPY can include unintended sensitive files
COPY ./example* /
# Vulnerable: Directly executing shell script without full path
CMD /run.sh✅ Secure code example
# Base image with specific version for reproducibility
FROM ubuntu:22.04
# Explicitly specify each file to copy to avoid accidental inclusion
COPY ./example1 /example1
COPY ./example2 /example2
COPY ./run.sh /run.sh
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.