archy/.claude/rules/containers.md

20 lines
683 B
Markdown
Raw Normal View History

---
globs:
- "**/container/**"
- "**/manifest*"
- "**/*podman*"
- "**/Containerfile"
- "**/Dockerfile"
---
# Container Security Rules (Archipelago)
- `readonly_root: true` always — containers must not write to their root filesystem
- Drop ALL capabilities, add only what's required (`--cap-drop=ALL --cap-add=...`)
- Run as non-root user (UID > 1000): `--user 1001:1001`
- Set `--security-opt=no-new-privileges:true`
- Pin image versions by SHA256 digest, never use `:latest` tag
- Mount secrets as read-only files, never pass as environment variables when possible
- Set memory and CPU limits on all containers
- Use `--network=none` unless network access is required