CopyIgnoredFile linter triggers with negated matches and "COPY . $target"

[sudo-bmitch]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

Bug description

I'm using the pattern to exclude everything and the negate the files I want to include in my build. This is triggering a linter warning that I feel is a false positive.

Reproduction

.dockerignore contains:

*
!go.*
!*.go
!internal/
!testdata/
!vendor/
!Makefile

And the Dockerfile includes:

FROM golang
WORKDIR /src
COPY . /src/
RUN make

Which generates the warning:

 1 warning found (use docker --debug to expand):
 - CopyIgnoredFile: Attempting to Copy file "." that is excluded by .dockerignore (line 11)

The build does succeed, but I feel that the COPY . $target should not trigger a warning if it expands to a mix of files, some of which are included in the context.

An example repository that contains this pattern is https://github.com/sudo-bmitch/version-bump/.

Version information

$ docker version
Client: Docker Engine - Community
 Version:           29.2.1
 API version:       1.53
 Go version:        go1.25.6
 Git commit:        a5c7197
 Built:             Mon Feb  2 17:17:24 2026
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          29.2.1
  API version:      1.53 (minimum version 1.44)
  Go version:       go1.25.6
  Git commit:       6bc6209
  Built:            Mon Feb  2 17:17:24 2026
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v2.2.1
  GitCommit:        dea7da592f5d1d2b7755e3a161be07f43fad8f75
 runc:
  Version:          1.3.4
  GitCommit:        v1.3.4-0-gd6d73eb8
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

$ docker buildx version
github.com/docker/buildx v0.31.1 a2675950d46b2cb171b23c2015ca44fb88607531

$ docker buildx inspect
Name:          container
Driver:        docker-container
Last Activity: 2026-02-08 19:07:53 +0000 UTC

Nodes:
Name:                  container0
Endpoint:              unix:///var/run/docker.sock
Driver Options:        cpu-shares="12" image="moby/buildkit:v0.27.1" memory="10g"
Status:                running
BuildKit daemon flags: --allow-insecure-entitlement=network.host
BuildKit version:      v0.27.1
Platforms:             linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/arm64, linux/riscv64, linux/ppc64, linux/ppc64le, linux/s390x, linux/386, linux/mips64le, linux/mips64, linux/loong64, linux/arm/v7, linux/arm/v6
Labels:
 org.mobyproject.buildkit.worker.executor:         oci
 org.mobyproject.buildkit.worker.hostname:         84e3b481c12c
 org.mobyproject.buildkit.worker.network:          host
 org.mobyproject.buildkit.worker.oci.process-mode: sandbox
 org.mobyproject.buildkit.worker.selinux.enabled:  false
 org.mobyproject.buildkit.worker.snapshotter:      overlayfs
...

[sudo-bmitch]

I believe this is related to #5884 but is not fixed by #6356.

[thaJeztah]

This was also reported in docker/cli#6767 (or at least, it looks very similar);

Let me re-post my comment from that ticket;

Looking at #6356, I see it's part of BuildKit v0.27.0, which is used by Docker 29.2, so I think it's the reverse and that PR to have introduced the problem, not solved it.

The change in behavior is in the Dockerfile frontend 143a046, so the parsing used for the Dockerfile, and part of dockerfile v1.21.0

mkdir test && cd test

cat > .dockerignore <<'EOF'
/*
!/some
EOF


cat > Dockerfile <<'EOF'
FROM scratch
COPY . .
EOF

With the above, I get the warning:

docker build --no-cache .
# ...
# => => unpacking to moby-dangling@sha256:ff039ba2427511592c8627270aca2b70975589bf58a46d25e12a837f437a14  0.0s
#
# 1 warning found (use docker --debug to expand):
# - CopyIgnoredFile: Attempting to Copy file "." that is excluded by .dockerignore (line 2)

Updating the Dockerfile to use the previous (v1.20.0) syntax;

cat > Dockerfile <<'EOF'
# syntax=docker/dockerfile:1.20.0

FROM scratch
COPY . .
EOF

Doesn't produce the warning;

docker build --no-cache .
# ...
#  => => unpacking to moby-dangling@sha256:436b8636ddbcfeeff19131f2a420ee1222441f1471e54a55ad0b8d90ee21ff  0.0s

In general, I wouldn't recommend pinning to an older version of the syntax, but it's a possible workaround if this is causing issues.

[thaJeztah]

cc @jsternberg