dockerfile: promote experimental linter rules

jsternberg · jsternberg · commit a7f4d29def7d · 2025-11-14T12:43:10.000-06:00
This promotes the following linter rules:
- CopyIgnoredFile
- InvalidDefinitionDescription

Signed-off-by: Jonathan A. Sternberg &lt;jonathan.sternberg@docker.com&gt;
diff --git a/frontend/dockerfile/dockerfile_lint_test.go b/frontend/dockerfile/dockerfile_lint_test.go
@@ -54,7 +54,7 @@ var lintTests = integration.TestFuncs(
 )
 
 func testDefinitionDescription(t *testing.T, sb integration.Sandbox) {
-	dockerfile := []byte(`# check=experimental=InvalidDefinitionDescription
+	dockerfile := []byte(`
 # foo this is the foo
 ARG foo=bar
 
@@ -74,7 +74,7 @@ COPY Dockerfile .
 `)
 	checkLinterWarnings(t, sb, &lintTestParams{Dockerfile: dockerfile})
 
-	dockerfile = []byte(`# check=experimental=InvalidDefinitionDescription
+	dockerfile = []byte(`
 # bar this is the bar
 ARG foo=bar
 # BasE this is the BasE image
@@ -131,18 +131,6 @@ Dockerfile
 FROM scratch
 COPY Dockerfile .
 ADD Dockerfile /windy
-`)
-	checkLinterWarnings(t, sb, &lintTestParams{
-		Dockerfile:           dockerfile,
-		DockerIgnore:         dockerignore,
-		BuildErrLocation:     3,
-		StreamBuildErrRegexp: regexp.MustCompile(`failed to solve: failed to compute cache key: failed to calculate checksum of ref [^\s]+ "/Dockerfile": not found`),
-	})
-
-	dockerfile = []byte(`# check=experimental=CopyIgnoredFile
-FROM scratch
-COPY Dockerfile .
-ADD Dockerfile /windy
 `)
 
 	checkLinterWarnings(t, sb, &lintTestParams{
@@ -170,7 +158,7 @@ ADD Dockerfile /windy
 		},
 	})
 
-	dockerfile = []byte(`# check=skip=all;experimental=CopyIgnoredFile
+	dockerfile = []byte(`
 FROM scratch
 COPY Dockerfile .
 ADD Dockerfile /windy
@@ -217,6 +205,19 @@ COPY --from=base /foobar /Dockerfile
 		DockerIgnore: dockerignore,
 	})
 
+	dockerfile = []byte(`# check=skip=CopyIgnoredFile
+
+FROM scratch
+COPY Dockerfile .
+ADD Dockerfile /windy
+`)
+	checkLinterWarnings(t, sb, &lintTestParams{
+		Dockerfile:           dockerfile,
+		DockerIgnore:         dockerignore,
+		BuildErrLocation:     3,
+		StreamBuildErrRegexp: regexp.MustCompile(`failed to solve: failed to compute cache key: failed to calculate checksum of ref [^\s]+ "/Dockerfile": not found`),
+	})
+
 	dockerignore = []byte(`
 **
 !Dockerfile
@@ -232,7 +233,8 @@ COPY ./Dockerfile .
 }
 
 func testSecretsUsedInArgOrEnv(t *testing.T, sb integration.Sandbox) {
-	dockerfile := []byte(`
+	dockerfile := []byte(`# check=skip=InvalidDefinitionDescription
+
 FROM scratch
 ARG SECRET_PASSPHRASE
 ENV SUPER_Secret=foo
@@ -260,63 +262,63 @@ ARG alternate_password
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ARG "SECRET_PASSPHRASE")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        3,
+				Line:        4,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "SUPER_Secret")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        4,
+				Line:        5,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "password")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        5,
+				Line:        6,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "secret")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        5,
+				Line:        6,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ARG "auth")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        6,
+				Line:        7,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ARG "super_duper_secret_token")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        6,
+				Line:        7,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "apikey")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        7,
+				Line:        8,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "git_key")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        8,
+				Line:        9,
 			},
 		},
 	})
@@ -1692,8 +1694,9 @@ func checkProgressStream(t *testing.T, sb integration.Sandbox, lintTest *lintTes
 	} else {
 		if lintTest.BuildErr != "" {
 			require.ErrorContains(t, err, lintTest.BuildErr)
-		} else if !lintTest.StreamBuildErrRegexp.MatchString(err.Error()) {
-			t.Fatalf("error %q does not match %q", err.Error(), lintTest.StreamBuildErrRegexp.String())
+		} else {
+			require.Error(t, err)
+			require.Regexp(t, lintTest.StreamBuildErrRegexp, err)
 		}
 	}
 
diff --git a/frontend/dockerfile/docs/rules/_index.md b/frontend/dockerfile/docs/rules/_index.md
@@ -100,11 +100,11 @@ To learn more about how to use build checks, see
       <td>FROM --platform flag should not use a constant value</td>
     </tr>
     <tr>
-      <td><a href="./copy-ignored-file/">CopyIgnoredFile (experimental)</a></td>
+      <td><a href="./copy-ignored-file/">CopyIgnoredFile</a></td>
       <td>Attempting to Copy file that is excluded by .dockerignore</td>
     </tr>
     <tr>
-      <td><a href="./invalid-definition-description/">InvalidDefinitionDescription (experimental)</a></td>
+      <td><a href="./invalid-definition-description/">InvalidDefinitionDescription</a></td>
       <td>Comment for build stage or argument should follow the format: `# <arg/stage name> <description>`. If this is not intended to be a description comment, add an empty line or comment between the instruction and the comment.</td>
     </tr>
     <tr>
diff --git a/frontend/dockerfile/docs/rules/copy-ignored-file.md b/frontend/dockerfile/docs/rules/copy-ignored-file.md
@@ -6,10 +6,6 @@ aliases:
   - /go/dockerfile/rule/copy-ignored-file/
 ---
 
-> [!NOTE]
-> This check is experimental and is not enabled by default. To enable it, see
-> [Experimental checks](https://docs.docker.com/go/build-checks-experimental/).
-
 ## Output
 
 ```text
diff --git a/frontend/dockerfile/docs/rules/invalid-definition-description.md b/frontend/dockerfile/docs/rules/invalid-definition-description.md
@@ -6,10 +6,6 @@ aliases:
   - /go/dockerfile/rule/invalid-definition-description/
 ---
 
-> [!NOTE]
-> This check is experimental and is not enabled by default. To enable it, see
-> [Experimental checks](https://docs.docker.com/go/build-checks-experimental/).
-
 ## Output
 
 ```text
diff --git a/frontend/dockerfile/linter/ruleset.go b/frontend/dockerfile/linter/ruleset.go
@@ -163,7 +163,6 @@ var (
 		Format: func(cmd, file string) string {
 			return fmt.Sprintf("Attempting to %s file %q that is excluded by .dockerignore", cmd, file)
 		},
-		Experimental: true,
 	}
 	RuleInvalidDefinitionDescription = LinterRule[func(string, string) string]{
 		Name:        "InvalidDefinitionDescription",
@@ -172,7 +171,6 @@ var (
 		Format: func(instruction, defName string) string {
 			return fmt.Sprintf("Comment for %s should follow the format: `# %s <description>`", instruction, defName)
 		},
-		Experimental: true,
 	}
 	RuleExposeProtoCasing = LinterRule[func(string) string]{
 		Name:        "ExposeProtoCasing",
