20 lines
683 B
Markdown
20 lines
683 B
Markdown
|
|
---
|
||
|
|
globs:
|
||
|
|
- "**/container/**"
|
||
|
|
- "**/manifest*"
|
||
|
|
- "**/*podman*"
|
||
|
|
- "**/Containerfile"
|
||
|
|
- "**/Dockerfile"
|
||
|
|
---
|
||
|
|
|
||
|
|
# Container Security Rules (Archipelago)
|
||
|
|
|
||
|
|
- `readonly_root: true` always — containers must not write to their root filesystem
|
||
|
|
- Drop ALL capabilities, add only what's required (`--cap-drop=ALL --cap-add=...`)
|
||
|
|
- Run as non-root user (UID > 1000): `--user 1001:1001`
|
||
|
|
- Set `--security-opt=no-new-privileges:true`
|
||
|
|
- Pin image versions by SHA256 digest, never use `:latest` tag
|
||
|
|
- Mount secrets as read-only files, never pass as environment variables when possible
|
||
|
|
- Set memory and CPU limits on all containers
|
||
|
|
- Use `--network=none` unless network access is required
|