--- globs: - "**/container/**" - "**/manifest*" - "**/*podman*" - "**/Containerfile" - "**/Dockerfile" --- # Container Security Rules (Archipelago) - `readonly_root: true` always — containers must not write to their root filesystem - Drop ALL capabilities, add only what's required (`--cap-drop=ALL --cap-add=...`) - Run as non-root user (UID > 1000): `--user 1001:1001` - Set `--security-opt=no-new-privileges:true` - Pin image versions by SHA256 digest, never use `:latest` tag - Mount secrets as read-only files, never pass as environment variables when possible - Set memory and CPU limits on all containers - Use `--network=none` unless network access is required