---
title: curl or wget instead of ADD
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > curl or wget instead of ADD
---

# curl or wget instead of ADD

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `dockerfile-curl-or-wget-instead-of-add` 

**Platform:** Dockerfile

**Severity:** Low

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/)

### Description{% #description %}

Using Dockerfile `ADD` to download files from HTTPS URLs embeds externally hosted content into images without integrity checks and creates supply-chain and reproducibility risks if the remote resource changes or is compromised.

This rule flags Dockerfile `ADD` instructions whose source argument matches `http://` or `https://`. Instead, fetch remote artifacts with `curl` or `wget` in a `RUN` step, or use `COPY` for pre-downloaded local files.

When you download in the build, pin exact versions, validate integrity (for example, via SHA256 or signatures), and remove temporary files to avoid leaving unverified artifacts in the final image.

Secure pattern example using `curl` with checksum verification:

```Dockerfile
# Secure: download with curl and verify SHA256 before extracting
RUN curl -fsSL https://example.com/package-1.2.3.tar.gz -o /tmp/package.tar.gz \
  && echo "expected_sha256  /tmp/package.tar.gz" | sha256sum -c - \
  && tar -xzf /tmp/package.tar.gz -C /usr/src/app \
  && rm /tmp/package.tar.gz
```

## Compliant Code Examples{% #compliant-code-examples %}

```dockerfile
FROM openjdk:10-jdk
RUN mkdir -p /usr/src/things \
    && curl -SL https://example.com/big.tar.xz \
    | tar -xJC /usr/src/things \
    && make -C /usr/src/things all
```

```dockerfile
FROM openjdk:10-jdk
ADD ./drop-http-proxy-header.conf /etc/apache2/conf-available
RUN mkdir -p /usr/src/things \
    && curl -SL https://example.com/big.tar.xz \
    | tar -xJC /usr/src/things \
    && make -C /usr/src/things all
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```dockerfile
FROM openjdk:10-jdk
VOLUME /tmp
ADD https://example.com/big.tar.xz /usr/src/things/
RUN tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things
RUN make -C /usr/src/things all
```