Whole context copied before installing dependencies
Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
COPY . . appears before a dependency install, so any source change busts the dependency layer cache and forces a full reinstall on every build. Copy the lockfile/manifest and install first, then copy the rest. Heuristic.
Why it matters
Copying the whole build context before installing dependencies means any change to a source file invalidates the dependency layer, so the full install re-runs on every build. On real projects that turns a small edit into minutes of reinstall. This is a heuristic based on instruction order.
How to fix it
Copy only the dependency manifest and lockfile first (package.json and package-lock.json, requirements.txt, go.mod and go.sum), run the install, then COPY the rest of the source. The dependency layer is then cached until the manifest actually changes.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo