✦ For everyone, free.

Practical knowledge for real and everyday life

Home

4.2.4.5 ADD Safer Alternatives

A focused guide to ADD Safer Alternatives, connecting core concepts with practical Docker and container operations.

ADD safer alternatives are the explicit, more predictable instruction patterns that achieve the same practical results ADD's convenience features provide, without introducing the ambiguity or reproducibility risk that comes with relying on ADD itself.

Alternative to Automatic Archive Extraction

Rather than relying on ADD to automatically extract an archive, an explicit COPY followed by a RUN instruction performing the extraction makes the behavior visible and unambiguous to anyone reading the Dockerfile.

COPY release.tar.gz /tmp/
RUN tar -xzf /tmp/release.tar.gz -C /app/ && rm /tmp/release.tar.gz

This achieves the same end result as ADD release.tar.gz /app/, but makes the extraction step explicit rather than implicit in the choice of instruction.

Alternative to Fetching From a Remote URL

Rather than ADD's remote URL fetching, an explicit RUN instruction using a tool like curl allows for checksum verification, ensuring the build fails clearly if the fetched content does not match what was expected, rather than silently using whatever happens to be available.

RUN curl -fsSL https://example.com/dataset.csv -o /app/data.csv \
    && echo "expectedsha256  /app/data.csv" | sha256sum -c -
Alternative for Reliable Dependency Fetching

For dependencies specifically, using a language ecosystem's own dependency manager with a lockfile is generally preferable to fetching individual files directly, since it provides proper version pinning and integrity verification as part of the standard tooling.

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
Why Explicit Alternatives Are Worth the Extra Instruction

Although these alternatives require an additional instruction compared to ADD's single-line convenience, the resulting Dockerfile is more transparent about exactly what is happening, and the build itself is more trustworthy, since each step's behavior is fully visible rather than relying on an instruction's less obvious side effects.

docker build --no-cache -t myapp .
Why This Matters

Choosing explicit alternatives over ADD's convenience features is a small effort that pays off significantly in long-term Dockerfile clarity and build reproducibility, particularly for production images where these qualities matter most.

Related content