Initial commit

2025-11-29 17:51:02 +08:00
commit ff1f4bd119
252 changed files with 72682 additions and 0 deletions
--- a/skills/devsecops/container-hadolint/assets/hadolint-strict.yaml
+++ b/skills/devsecops/container-hadolint/assets/hadolint-strict.yaml
@@ -0,0 +1,48 @@
+# Hadolint Strict Configuration
+# Enforces maximum security with minimal exceptions
+# Use for: Production Dockerfiles, security-critical applications
+
+failure-threshold: error
+
+# Minimal ignores - only critical exceptions
+ignored: []
+
+# Only trust official and verified registries
+trustedRegistries:
+  - docker.io/library     # Official Docker Hub images
+  - gcr.io/distroless     # Google distroless base images
+  - cgr.dev/chainguard    # Chainguard minimal images
+
+# Enforce strict severity levels
+override:
+  error:
+    - DL3000  # Use absolute WORKDIR
+    - DL3001  # Version pinning for yum
+    - DL3002  # Never switch to root
+    - DL3003  # Use WORKDIR instead of cd
+    - DL3006  # Always tag images
+    - DL3008  # Version pinning for apt
+    - DL3013  # Version pinning for pip
+    - DL3016  # Version pinning for npm
+    - DL3018  # Version pinning for apk
+    - DL3020  # Use COPY instead of ADD
+    - DL3028  # Use build secrets for credentials
+  warning:
+    - DL3007  # Use specific digests (recommended)
+    - DL3009  # Delete apt cache
+    - DL3015  # Avoid additional packages
+    - DL3025  # Use JSON notation
+
+# Enforce OCI image labels
+label-schema:
+  maintainer: text
+  org.opencontainers.image.created: rfc3339
+  org.opencontainers.image.authors: text
+  org.opencontainers.image.url: url
+  org.opencontainers.image.documentation: url
+  org.opencontainers.image.source: url
+  org.opencontainers.image.version: semver
+  org.opencontainers.image.revision: text
+  org.opencontainers.image.vendor: text
+  org.opencontainers.image.title: text
+  org.opencontainers.image.description: text