Confused about what it does: COPY file:xxxxxxxx.... in /usr/local/bin/

Hi I am looking at a php image layers (e.g. and I don’t understand what the following type of commands do.

COPY file:e3123fcb6566efa979f945bfac1c94c854a559d7b82723e42118882a8ac4de66 in /usr/local/bin/
COPY file:ce57c04b70896f77cc11eb2766417d8a1240fcffe5bba92179ec78c458844110 in /usr/local/bin/

Searched docs but couldn’t find anything about this COPY format. Of course I’ve seen them in other images, but is there a way to determine what is in these files and how do they come about?


When an image is built, an entire directory (the context directory) is copied over to the docker engine or buildkit builder, and cached there. During the build process, files are copied from that cache. File names from the original Dockerfile are replaced by names like that.

Without the original Dockerfile, there’s no easy way of figuring out what those files were. Luckily, the Dockerfiles for all official images, like the one you are looking at, are open source. Here is the Dockerfile for the php:8.1.3-apache image:

How does one trust that these files are not malware? Any docs on this would be appreciated. Thanks

As I said, all official Dockerfiles are open source, so you can see exactly what got copied. You can verify the actual files when you pull the image, and run a number of malware scan tools and services on the image. The docker hub itself shows you results of malware scans on the image.