container-workflow

2 events · 4 hooks

From container-workflow

Risk Indicators

Executes bash commandsModifies files

Source

Defined in hooks/hooks.json

Configuration

{
  "PreToolUse": [
    {
      "hooks": [
        {
          "type": "prompt",
          "prompt": "Before writing Dockerfile or docker-compose files, validate:\n\n1. **Base Image Security**\n   - Using official/verified base images?\n   - Specific version tags (not 'latest')?\n   - Minimal base image (alpine, distroless)?\n\n2. **Build Best Practices**\n   - Multi-stage builds for size optimization?\n   - Proper layer caching (COPY package files before code)?\n   - Non-root user configured?\n   - .dockerignore present?\n\n3. **Security Concerns**\n   - No hardcoded secrets/credentials?\n   - No sensitive files in build context?\n   - Proper file permissions?\n\n4. **Optimization**\n   - Minimal layers (combine RUN commands)?\n   - Clean up package caches?\n   - HEALTHCHECK defined?\n\nIf any issues found, suggest improvements before writing."
        }
      ],
      "matcher": "Write"
    },
    {
      "hooks": [
        {
          "type": "prompt",
          "prompt": "Before editing Dockerfile or docker-compose, review the changes for:\n\n1. **Security Impact**\n   - Are new secrets/credentials being added?\n   - Does the change increase attack surface?\n   - Are file permissions still secure?\n\n2. **Build Efficiency**\n   - Will this break layer caching?\n   - Should this be a separate stage?\n   - Is the layer order optimal?\n\n3. **Best Practices**\n   - Still following multi-stage patterns?\n   - Maintaining non-root user?\n   - HEALTHCHECK still present?\n\nValidate changes align with container security and optimization standards."
        }
      ],
      "matcher": "Edit"
    }
  ],
  "PostToolUse": [
    {
      "hooks": [
        {
          "type": "prompt",
          "prompt": "If a Docker command was executed (docker build, docker-compose up, docker push), consider:\n\n1. **For docker build**: Run security scan with trivy, verify image size\n2. **For docker-compose up**: Check service health, verify network connectivity\n3. **For docker push**: Verify push success, update deployment docs\n\nWould you like to run any validation steps?"
        }
      ],
      "matcher": "Bash"
    },
    {
      "hooks": [
        {
          "type": "prompt",
          "prompt": "Dockerfile created/updated. Recommended validation:\n\n1. **Build Test**: docker build -t test-image:local .\n2. **Lint**: hadolint Dockerfile (if installed)\n3. **Security Pre-Check**: Review secrets, base image provenance\n4. **Size Estimation**: Predict final image size\n\nShould I validate the Dockerfile or proceed with a test build?"
        }
      ],
      "matcher": "Write"
    }
  ]
}

Summary

{
  "riskFlags": {
    "touchesBash": true,
    "matchAllTools": false,
    "touchesFileWrites": true
  },
  "typeStats": {
    "prompt": 4
  },
  "eventStats": {
    "PreToolUse": 2,
    "PostToolUse": 2
  },
  "originCounts": {
    "absolutePaths": 0,
    "pluginScripts": 0,
    "projectScripts": 0
  },
  "timeoutStats": {
    "commandsWithoutTimeout": 0
  }
}