Skip to main content
Stages using curl should include a retry config to handle transient failures.

Description

Detects Dockerfile stages that use curl (either invoked directly in a RUN command or installed as a package) without a retry configuration file. Transient download failures are common during image builds — network timeouts, temporary server errors, and DNS hiccups can cause builds to fail unpredictably. A small .curlrc file with retry settings makes builds significantly more robust. The rule emits at most one violation per stage and triggers when:
  • A RUN instruction invokes curl directly (e.g., curl -fsSL https://...)
  • A RUN instruction installs the curl package (e.g., apt-get install -y curl)
  • On Windows: curl.exe invocation or choco install curl / winget install curl

Auto-fix

The fix inserts a short documentation comment plus two instructions before the first relevant RUN:
  • Install trigger (apt-get install curl): inserts right before the install RUN
  • Invocation trigger (curl https://...): inserts before the first RUN in the stage (curl is already available from the base image)

Linux

Windows

On Windows, --chmod is omitted since it has no effect.

Config options

  • --retry-connrefused retries on connection-refused errors
  • --connect-timeout limits the connection phase (default: 15 seconds)
  • --retry retries failed transfers (default: 5)
  • --max-time limits the entire transfer (default: 300 seconds)

Configuration

The emitted defaults can be overridden via rule config:
curl’s config-file behavior is documented in the official manpage: --config.

Examples

Before (violation)

After (fixed with —fix —fix-unsafe)

Suppression

The rule does not trigger when:
  • The config file /etc/curl/.curlrc (or c:\curl\.curlrc on Windows) already exists in the stage (via COPY heredoc, COPY from build context, COPY --from another stage, or RUN file creation)
  • The CURL_HOME environment variable is already set in the stage
Child stages inheriting from a parent stage that already has the config also do not trigger.