codex-bootstrap/.codex/profiles/docker.md

Docker profile

Enable this profile for repositories containing Dockerfiles, Compose files, container entrypoints, reverse proxy configuration, or containerized deployment logic.

Rules

Codex MUST:

• avoid latest tags;
• prefer pinned or explicit versions;
• keep images small and reproducible;
• avoid privileged containers unless explicitly justified in an ADR;
• avoid unnecessary published ports;
• use least-privilege users where practical;
• avoid storing secrets in images or Compose files;
• use healthchecks when useful and practical;
• document exposed ports, volumes, networks, and runtime assumptions;
• keep entrypoints simple and explicit.

Project mode behavior

If .codex/project.md sets project_mode: work, Codex SHOULD prefer Red Hat UBI minimal images when possible and reasonable.

If .codex/project.md sets project_mode: personal, Codex may use the most appropriate base image for the project, but it MUST still avoid latest tags and unsafe defaults.

Validation examples

Use project-specific Docker-based commands, for example:

docker compose config

docker compose build

docker compose run --rm app pytest