Initial commit

skills/devsecops/container-hadolint/assets/hadolint-permissive.yaml

@@ -0,0 +1,35 @@
+# Hadolint Permissive Configuration
+# For legacy Dockerfiles during migration or development environments
+# Use temporarily while remediating existing issues
+
+failure-threshold: error  # Only fail on critical security issues
+
+# Ignore common legacy patterns (review and remove as you fix them)
+ignored:
+  - DL3006  # Image versioning (fix gradually)
+  - DL3008  # apt-get version pinning (fix gradually)
+  - DL3009  # apt cache cleanup (optimization, not security)
+  - DL3013  # pip version pinning (fix gradually)
+  - DL3015  # apt --no-install-recommends (optimization)
+  - DL3059  # Multiple RUN instructions (caching)
+
+# Still enforce trusted registries
+trustedRegistries:
+  - docker.io
+  - gcr.io
+  - ghcr.io
+  # Add your registries
+
+# Minimal enforcement - only critical security issues
+override:
+  error:
+    - DL3002  # Never switch to root (always enforce)
+    - DL3020  # Use COPY instead of ADD (security critical)
+  warning:
+    - DL3001  # Package manager version pinning
+    - DL3025  # JSON notation for CMD/ENTRYPOINT
+  info:
+    # Everything else is informational
+    - DL3000
+    - DL3003
+    - DL3007