Skip to content

Instantly share code, notes, and snippets.

@keskinonur
Created April 5, 2026 12:36
Show Gist options
  • Select an option

  • Save keskinonur/f4ad3f0825b6d7a1adb05b925641517d to your computer and use it in GitHub Desktop.

Select an option

Save keskinonur/f4ad3f0825b6d7a1adb05b925641517d to your computer and use it in GitHub Desktop.
Container Security Standards for CLAUDE.md

Container Security Standards

All container artifacts (Dockerfile, compose files, CI/CD pipeline configs) MUST follow these rules. Violations are treated as bugs.

Base Image

  • Use distroless, alpine, or -slim variants only
  • Pin versions with digest: FROM node:22-alpine@sha256:abc...
  • Multi-stage builds mandatory — no build toolchains in final image

Runtime Security

  • USER nonroot — never run as root
  • read_only: true in compose
  • security_opt: [no-new-privileges:true]
  • cap_drop: [ALL], add back only what's explicitly needed
  • Never mount Docker socket unless I explicitly ask and justify it

Secrets

  • Never use ARG/ENV for secrets at build time
  • Use docker compose secrets, mounted files, or runtime env injection
  • .dockerignore must exclude: .env*, .git, node_modules, *.key, *.pem

Health & Observability

  • Every service gets a HEALTHCHECK (Dockerfile) or healthcheck: (compose)
  • Include interval, timeout, retries, start_period
  • Prefer curl-free checks: use built-in runtime checks or wget in alpine

Image Hygiene

  • Combine RUN layers, clean caches in same layer
  • No orphan ports — only expose what's needed
  • Tag images with git SHA or semver, never :latest in production configs

Exceptions

If any rule cannot be followed, add an inline comment: # SECURITY-EXCEPTION: <reason>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment