Skip to main content
Stages using wget should include a retry config to handle transient failures.

Description

Detects Dockerfile stages that use wget without a retry configuration file. This applies both when wget is invoked directly in a RUN command and when the stage installs the wget package first. Transient download failures are common during image builds, so a small wgetrc file makes those stages more resilient. The rule emits at most one violation per stage and triggers when:
  • A RUN instruction invokes wget directly (for example wget https://...)
  • A RUN instruction installs the wget package (for example apt-get install -y wget)
  • On Windows: wget.exe invocation or package installs that resolve to wget

Auto-fix

The fix inserts a short documentation comment plus two instructions before the first relevant RUN:
  • Install trigger (apt-get install wget): inserts right before the install RUN
  • Invocation trigger (wget https://...): inserts before the first RUN in the stage when wget is already available from the base image

Linux

Windows

On Windows, --chmod is omitted since it has no effect.

Config options

  • retry_connrefused = on retries connection-refused failures
  • timeout limits how long each request can wait (default: 15 seconds)
  • tries controls how many attempts wget makes (default: 5)

Configuration

The emitted defaults can be overridden via rule config:
Supported startup-file directives are documented in the official GNU Wget manual: Wgetrc Commands.

Examples

Before (violation)

After (fixed with —fix —fix-unsafe)

Suppression

The rule does not trigger when:
  • The config file /etc/wgetrc, c:\wgetrc, or a user-level .wgetrc already exists in the stage (via COPY heredoc, COPY from build context, COPY --from another stage, or RUN file creation)
  • The WGETRC environment variable is already set in the stage
Child stages inheriting from a parent stage that already has the config also do not trigger.