iac/dockerfile/dockerfile-add-url

ADD from remote URL

mediumDockerfileiac-dockerfile

What it detects

ADD with an HTTP(S) URL executes without verifying integrity and leaves the downloaded content unpinned. Prefer RUN curl/wget with explicit checksum verification.

Remediation

Use RUN with a pinned hash (`curl -fsSL <url> | sha256sum -c <(echo <hash> -)`).

How it runs

Run against Dockerfiles detected by path or basename. Line-based checks with remediation guidance.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.