--location (or --follow) to follow HTTP redirects.
| Property | Value |
|---|---|
| Severity | Warning |
| Category | Correctness |
| Default | Enabled |
| Auto-fix | Yes (--fix --fix-unsafe) |
Description
Flagscurl commands in RUN instructions that are missing a redirect-following flag.
Without such a flag, curl will not follow HTTP redirects (301, 302, 307, 308), which can
cause downloads to silently fail when URLs are relocated.
Other Dockerfile download mechanisms follow redirects by default:
ADD <url>follows up to 10 redirects (Gonet/httpdefault behavior)wgetfollows up to 20 redirects by default
--location vs --follow
The fix depends on how curl is invoked:
--location(-L) — suggested for standard downloads (GET, POST, PUT, or no-X). This is the classic redirect flag available in all curl versions.--follow— suggested when-X/--requestspecifies a method other than GET, POST, or PUT (e.g., DELETE, PATCH, QUERY).--locationchanges non-GET methods to GET on 301/302 redirects, which breaks these methods.--follow(curl 8.16.0+) preserves the HTTP method across redirects.
Examples
Before (violation)
After (fixed with —fix —fix-unsafe)
Exceptions
The rule does not trigger when:-Lor--locationis already present (including combined flags like-fsSL)--location-trustedis present (implies redirect following)--followis already present (curl 8.16.0+)- All URL arguments point to IP addresses (e.g.,
http://127.0.0.1:8080/health,http://10.0.0.1/api), since local/internal services typically don’t redirect - The curl command is a non-transfer invocation (
--help,--version,--manual) where redirect flags have no effect
Limitations
- Only detects
curlcommands directly visible to the shell parser; commands inside variables or dynamically constructed strings are not analyzed - Skips non-POSIX shells (e.g., PowerShell stages)
References
- curl
--locationdocumentation - Follow redirects, but differently — curl 8.16.0
--followflag - Dockerfile
ADDreference