The customer is getting violations for "using the COPY command instead of the ADD command" from the base image  ([ubi9/openjdk)|https://catalog.redhat.com/en/software/containers/ubi9/openjdk-17/61ee7c26ed74b2ffb22b07f6?image=68c2fd32ded12cfee68625ed ]
The reason they enable this policy is that ADD can expose the build process to external malicious files, increasing the attack surface. Additionally, COPY is generally faster and more efficient as it avoids unnecessary processing like archive extraction. 

This is one of the customer's security compliance rules for NIST 800 -190.