When building a Docker image from a Dockerfile, a context directory is used and sent to the Docker daemon before the actual build starts. This context directory usually contains the Dockerfile itself, along with all the files that will be necessary for the build to succeed. This generally includes:
The COPY and ADD directives in the Dockerfiles are then used to actually copy content from the context directory to the
image file system.
When COPY or ADD are used to recursively copy entire top-level directories or multiple items whose names are determined
at build-time, unexpected files might get copied to the image filesystem. It could affect their confidentiality.
There is a risk if you answered yes to any of those questions.
Keep in mind that the content of the context directory might change depending on the build environment and over time.
COPY and ADD sources definition. Copying the complete context directory:
FROM ubuntu:22.04 # Sensitive COPY . . CMD /run.sh
Copying multiple files and directories whose names are expanded at build time:
FROM ubuntu:22.04 # Sensitive COPY ./example* / COPY ./run.sh / CMD /run.sh
FROM ubuntu:22.04 COPY ./example1 /example1 COPY ./example2 /example2 COPY ./run.sh / CMD /run.sh