generated from bisco/codex-bootstrap
41 lines
1.2 KiB
Markdown
41 lines
1.2 KiB
Markdown
# Docker profile
|
|
|
|
Enable this profile for repositories containing Dockerfiles, Compose files, container entrypoints, reverse proxy configuration, or containerized deployment logic.
|
|
|
|
## Rules
|
|
|
|
Codex MUST:
|
|
|
|
- avoid `latest` tags;
|
|
- prefer pinned or explicit versions;
|
|
- keep images small and reproducible;
|
|
- avoid privileged containers unless explicitly justified in an ADR;
|
|
- avoid unnecessary published ports;
|
|
- use least-privilege users where practical;
|
|
- avoid storing secrets in images or Compose files;
|
|
- use healthchecks when useful and practical;
|
|
- document exposed ports, volumes, networks, and runtime assumptions;
|
|
- keep entrypoints simple and explicit.
|
|
|
|
## Project mode behavior
|
|
|
|
If `.codex/project.md` sets `project_mode: work`, Codex SHOULD prefer Red Hat UBI minimal images when possible and reasonable.
|
|
|
|
If `.codex/project.md` sets `project_mode: personal`, Codex may use the most appropriate base image for the project, but it MUST still avoid `latest` tags and unsafe defaults.
|
|
|
|
## Validation examples
|
|
|
|
Use project-specific Docker-based commands, for example:
|
|
|
|
```bash
|
|
docker compose config
|
|
```
|
|
|
|
```bash
|
|
docker compose build
|
|
```
|
|
|
|
```bash
|
|
docker compose run --rm app pytest
|
|
```
|