Docker Rules

Build, run, and manage containers and images. Streamline your development workflow with Docker Compose and networking.

4 rules

Define Health Checks in Every Dockerfile

Every production Dockerfile must include a HEALTHCHECK instruction to enable container orchestrators to detect and replace unhealthy instances automatically.

globs: **/Dockerfile*, **/docker-compose*.yml

health-check, monitoring, container-orchestration, reliability

View Rule

Use Minimal Base Images

Beginner

Choose the smallest possible base image for production containers — distroless, Alpine, or scratch to minimize attack surface, reduce CVEs, and speed up deployments.

globs: **/Dockerfile*

base-images, distroless, alpine, scratch

View Rule

Always Run Containers as Non-Root

Beginner

Enforce non-root user execution in all Docker containers — create dedicated users, set proper file ownership, and configure runtime security to prevent privilege escalation.

globs: **/Dockerfile*, **/.hadolint.yaml

non-root, docker-security, least-privilege, hadolint

View Rule

Pin Docker Image Versions

Beginner

Always pin base image versions with exact tags or SHA256 digests — prevent supply chain attacks, ensure reproducible builds, and avoid unexpected breaking changes.

globs: **/Dockerfile*, **/.hadolint.yaml, **/docker-compose*.yml

image-pinning, supply-chain, reproducibility, docker-security

View Rule