# Hadolint Strict Configuration
# Enforces maximum security with minimal exceptions
# Use for: Production Dockerfiles, security-critical applications

failure-threshold: error

# Minimal ignores - only critical exceptions
ignored: []

# Only trust official and verified registries
trustedRegistries:
  - docker.io/library     # Official Docker Hub images
  - gcr.io/distroless     # Google distroless base images
  - cgr.dev/chainguard    # Chainguard minimal images

# Enforce strict severity levels
override:
  error:
    - DL3000  # Use absolute WORKDIR
    - DL3001  # Version pinning for yum
    - DL3002  # Never switch to root
    - DL3003  # Use WORKDIR instead of cd
    - DL3006  # Always tag images
    - DL3008  # Version pinning for apt
    - DL3013  # Version pinning for pip
    - DL3016  # Version pinning for npm
    - DL3018  # Version pinning for apk
    - DL3020  # Use COPY instead of ADD
    - DL3028  # Use build secrets for credentials
  warning:
    - DL3007  # Use specific digests (recommended)
    - DL3009  # Delete apt cache
    - DL3015  # Avoid additional packages
    - DL3025  # Use JSON notation

# Enforce OCI image labels
label-schema:
  maintainer: text
  org.opencontainers.image.created: rfc3339
  org.opencontainers.image.authors: text
  org.opencontainers.image.url: url
  org.opencontainers.image.documentation: url
  org.opencontainers.image.source: url
  org.opencontainers.image.version: semver
  org.opencontainers.image.revision: text
  org.opencontainers.image.vendor: text
  org.opencontainers.image.title: text
  org.opencontainers.image.description: text