49 lines
1.6 KiB
YAML
49 lines
1.6 KiB
YAML
# Hadolint Strict Configuration
|
|
# Enforces maximum security with minimal exceptions
|
|
# Use for: Production Dockerfiles, security-critical applications
|
|
|
|
failure-threshold: error
|
|
|
|
# Minimal ignores - only critical exceptions
|
|
ignored: []
|
|
|
|
# Only trust official and verified registries
|
|
trustedRegistries:
|
|
- docker.io/library # Official Docker Hub images
|
|
- gcr.io/distroless # Google distroless base images
|
|
- cgr.dev/chainguard # Chainguard minimal images
|
|
|
|
# Enforce strict severity levels
|
|
override:
|
|
error:
|
|
- DL3000 # Use absolute WORKDIR
|
|
- DL3001 # Version pinning for yum
|
|
- DL3002 # Never switch to root
|
|
- DL3003 # Use WORKDIR instead of cd
|
|
- DL3006 # Always tag images
|
|
- DL3008 # Version pinning for apt
|
|
- DL3013 # Version pinning for pip
|
|
- DL3016 # Version pinning for npm
|
|
- DL3018 # Version pinning for apk
|
|
- DL3020 # Use COPY instead of ADD
|
|
- DL3028 # Use build secrets for credentials
|
|
warning:
|
|
- DL3007 # Use specific digests (recommended)
|
|
- DL3009 # Delete apt cache
|
|
- DL3015 # Avoid additional packages
|
|
- DL3025 # Use JSON notation
|
|
|
|
# Enforce OCI image labels
|
|
label-schema:
|
|
maintainer: text
|
|
org.opencontainers.image.created: rfc3339
|
|
org.opencontainers.image.authors: text
|
|
org.opencontainers.image.url: url
|
|
org.opencontainers.image.documentation: url
|
|
org.opencontainers.image.source: url
|
|
org.opencontainers.image.version: semver
|
|
org.opencontainers.image.revision: text
|
|
org.opencontainers.image.vendor: text
|
|
org.opencontainers.image.title: text
|
|
org.opencontainers.image.description: text
|