All container artifacts (Dockerfile, compose files, CI/CD pipeline configs) MUST follow these rules. Violations are treated as bugs.
- Use distroless, alpine, or -slim variants only
- Pin versions with digest:
FROM node:22-alpine@sha256:abc... - Multi-stage builds mandatory — no build toolchains in final image
USER nonroot— never run as rootread_only: truein composesecurity_opt: [no-new-privileges:true]cap_drop: [ALL], add back only what's explicitly needed- Never mount Docker socket unless I explicitly ask and justify it
- Never use
ARG/ENVfor secrets at build time - Use
docker compose secrets, mounted files, or runtime env injection .dockerignoremust exclude:.env*,.git,node_modules,*.key,*.pem
- Every service gets a
HEALTHCHECK(Dockerfile) orhealthcheck:(compose) - Include
interval,timeout,retries,start_period - Prefer curl-free checks: use built-in runtime checks or wget in alpine
- Combine RUN layers, clean caches in same layer
- No orphan ports — only expose what's needed
- Tag images with git SHA or semver, never
:latestin production configs
If any rule cannot be followed, add an inline comment: # SECURITY-EXCEPTION: <reason>