moby · tonistiigi · Jan 10, 2026 · Jan 5, 2026
diff --git a/frontend/dockerfile/dockerfile_lint_test.go b/frontend/dockerfile/dockerfile_lint_test.go
@@ -54,7 +54,7 @@ var lintTests = integration.TestFuncs(
 )
 
 func testDefinitionDescription(t *testing.T, sb integration.Sandbox) {
-	dockerfile := []byte(`# check=experimental=InvalidDefinitionDescription
+	dockerfile := []byte(`# check=skip=all;experimental=InvalidDefinitionDescription
 # foo this is the foo
 ARG foo=bar
 
@@ -131,18 +131,6 @@ Dockerfile
 FROM scratch
 COPY Dockerfile .
 ADD Dockerfile /windy
-`)
-	checkLinterWarnings(t, sb, &lintTestParams{
-		Dockerfile:           dockerfile,
-		DockerIgnore:         dockerignore,
-		BuildErrLocation:     3,
-		StreamBuildErrRegexp: regexp.MustCompile(`failed to solve: failed to compute cache key: failed to calculate checksum of ref [^\s]+ "/Dockerfile": not found`),
-	})
-
-	dockerfile = []byte(`# check=experimental=CopyIgnoredFile
-FROM scratch
-COPY Dockerfile .
-ADD Dockerfile /windy
 `)
 
 	checkLinterWarnings(t, sb, &lintTestParams{
@@ -170,7 +158,7 @@ ADD Dockerfile /windy
 		},
 	})
 
-	dockerfile = []byte(`# check=skip=all;experimental=CopyIgnoredFile
+	dockerfile = []byte(`
 FROM scratch
 COPY Dockerfile .
 ADD Dockerfile /windy
@@ -201,6 +189,19 @@ ADD Dockerfile /windy
 		},
 	})
 
+	dockerfile = []byte(`# check=skip=CopyIgnoredFile
+
+FROM scratch
+COPY Dockerfile .
+ADD Dockerfile /windy
+`)
+	checkLinterWarnings(t, sb, &lintTestParams{
+		Dockerfile:           dockerfile,
+		DockerIgnore:         dockerignore,
+		BuildErrLocation:     3,
+		StreamBuildErrRegexp: regexp.MustCompile(`failed to solve: failed to compute cache key: failed to calculate checksum of ref [^\s]+ "/Dockerfile": not found`),
+	})
+
 	dockerignore = []byte(`
 foobar
 `)
@@ -232,7 +233,8 @@ COPY ./Dockerfile .
 }
 
 func testSecretsUsedInArgOrEnv(t *testing.T, sb integration.Sandbox) {
-	dockerfile := []byte(`
+	dockerfile := []byte(`# check=skip=InvalidDefinitionDescription
+
 FROM scratch
 ARG SECRET_PASSPHRASE
 ENV SUPER_Secret=foo
@@ -260,63 +262,63 @@ ARG alternate_password
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ARG "SECRET_PASSPHRASE")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        3,
+				Line:        4,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "SUPER_Secret")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        4,
+				Line:        5,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "password")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        5,
+				Line:        6,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "secret")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        5,
+				Line:        6,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ARG "auth")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        6,
+				Line:        7,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ARG "super_duper_secret_token")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        6,
+				Line:        7,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "apikey")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        7,
+				Line:        8,
 			},
 			{
 				RuleName:    "SecretsUsedInArgOrEnv",
 				Description: "Sensitive data should not be used in the ARG or ENV commands",
 				Detail:      `Do not use ARG or ENV instructions for sensitive data (ENV "git_key")`,
 				URL:         "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/",
 				Level:       1,
-				Line:        8,
+				Line:        9,
 			},
 		},
 	})
@@ -1692,8 +1694,9 @@ func checkProgressStream(t *testing.T, sb integration.Sandbox, lintTest *lintTes
 	} else {
 		if lintTest.BuildErr != "" {
 			require.ErrorContains(t, err, lintTest.BuildErr)
-		} else if !lintTest.StreamBuildErrRegexp.MatchString(err.Error()) {
-			t.Fatalf("error %q does not match %q", err.Error(), lintTest.StreamBuildErrRegexp.String())
+		} else {
+			require.Error(t, err)
+			require.Regexp(t, lintTest.StreamBuildErrRegexp, err)
 		}
 	}
 
@@ -1745,10 +1748,10 @@ func checkLinterWarnings(t *testing.T, sb integration.Sandbox, lintTest *lintTes
 
 	if lintTest.TmpDir == nil {
 		testfiles := []fstest.Applier{
-			fstest.CreateFile("Dockerfile", lintTest.Dockerfile, 0600),
+			fstest.CreateFile("Dockerfile", lintTest.Dockerfile, 0o600),
 		}
 		if lintTest.DockerIgnore != nil {
-			testfiles = append(testfiles, fstest.CreateFile(".dockerignore", lintTest.DockerIgnore, 0600))
+			testfiles = append(testfiles, fstest.CreateFile(".dockerignore", lintTest.DockerIgnore, 0o600))
 		}
 		lintTest.TmpDir = integration.Tmpdir(
 			t,

diff --git a/frontend/dockerfile/docs/rules/_index.md b/frontend/dockerfile/docs/rules/_index.md
@@ -100,7 +100,7 @@ To learn more about how to use build checks, see
       <td>FROM --platform flag should not use a constant value</td>
     </tr>
     <tr>
-      <td><a href="./copy-ignored-file/">CopyIgnoredFile (experimental)</a></td>
+      <td><a href="./copy-ignored-file/">CopyIgnoredFile</a></td>
       <td>Attempting to Copy file that is excluded by .dockerignore</td>
     </tr>
     <tr>

diff --git a/frontend/dockerfile/docs/rules/copy-ignored-file.md b/frontend/dockerfile/docs/rules/copy-ignored-file.md
@@ -6,10 +6,6 @@ aliases:
   - /go/dockerfile/rule/copy-ignored-file/
 ---
 
-> [!NOTE]
-> This check is experimental and is not enabled by default. To enable it, see
-> [Experimental checks](https://docs.docker.com/go/build-checks-experimental/).
-
 ## Output
 
 ```text

diff --git a/frontend/dockerfile/linter/ruleset.go b/frontend/dockerfile/linter/ruleset.go
@@ -163,7 +163,6 @@ var (
 		Format: func(cmd, file string) string {
 			return fmt.Sprintf("Attempting to %s file %q that is excluded by .dockerignore", cmd, file)
 		},
-		Experimental: true,
 	}
 	RuleInvalidDefinitionDescription = LinterRule[func(string, string) string]{
 		Name:        "InvalidDefinitionDescription",