Will It Vibe logoWill It Vibe?
DOCKER-007Low severity-4 points

ADD used for a local file (prefer COPY)

Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

ADD has surprising behavior (URL fetching, automatic tar extraction). For plain local files COPY is clearer and safer, and Docker best practice recommends it.

Why it matters

ADD does more than copy: it can fetch URLs and auto-extract tar archives, which makes its behavior easy to misread and occasionally surprising. For a plain local file or directory, COPY does exactly one predictable thing.

How to fix it

Replace ADD with COPY for local files and directories. Keep ADD only where you rely on its tar auto-extraction or (better replaced) URL fetching. The source and destination arguments stay the same.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Architecture & Best Practices checks