Document app container architecture and socket proxy requirement
- TODO: add app container architecture section with socket proxy, network isolation, image allowlist, and Podman evaluation items - security-auditor: hard rules for never mounting raw Docker socket and never spawning privileged containers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
curo1305
@@ -83,3 +83,5 @@ Key management: private key (`JWT_PRIVATE_KEY`) signs tokens and must never be e
|
||||
- Never use `text()` with string interpolation in SQLAlchemy queries
|
||||
- Never expose `hashed_password`, `is_superuser`, or internal IDs in API responses unless explicitly required
|
||||
- After any code change, verify the pre-commit hook still passes
|
||||
- **Never mount `/var/run/docker.sock` directly into the backend container** — Docker socket access must always go through `tecnativa/docker-socket-proxy` on an internal-only network with a minimal API whitelist. Raw socket access inside any app container is equivalent to root on the host.
|
||||
- **Never spawn `--privileged` containers** or containers with added capabilities for app workloads
|
||||
|
||||
Reference in New Issue
Block a user