# Hadolint Balanced Configuration
# Recommended for most production use cases
# Balances security enforcement with practical development needs

failure-threshold: warning

# Allow common development patterns that don't compromise security
ignored:
  - DL3059  # Multiple RUN instructions (improves layer caching in development)

# Trusted registries - add your organization's registries
trustedRegistries:
  - docker.io/library     # Official Docker Hub images
  - gcr.io/distroless     # Google distroless images
  - cgr.dev/chainguard    # Chainguard images
  # Add your private registries below:
  # - mycompany.azurecr.io
  # - gcr.io/my-project

# Balanced severity levels
override:
  error:
    - DL3002  # Never switch to root (critical security)
    - DL3020  # Use COPY instead of ADD (prevent URL injection)
  warning:
    - DL3000  # Use absolute WORKDIR
    - DL3001  # Version pinning for package managers
    - DL3006  # Always tag images
    - DL3008  # Version pinning for apt
    - DL3013  # Version pinning for pip
    - DL3025  # Use JSON notation for CMD/ENTRYPOINT
  info:
    - DL3007  # Use image digests (nice to have)
    - DL3009  # Delete apt cache (optimization)

# Recommended OCI labels
label-schema:
  maintainer: text
  org.opencontainers.image.version: semver
  org.opencontainers.image.vendor: text