devcontainer-hardened

Installation
SKILL.md

Hardened devcontainer generator

Produce small, explicit Dev Container configs that prioritize supply-chain safety and failure isolation — not a kitchen-sink image.

Pair with fix-dependency-security (pnpm policy, sfw installs) and project-editor-profile (.editor extension allowlist).

Design principles (less is more)

  1. One job — dev + build + lint + type-check in-container. E2E and host-only browsers stay optional and off by default.
  2. Pinned base — image reference includes digest (image@sha256:…); re-pin deliberately, not on every edit.
  3. Non-rootremoteUser / containerUser is not root; no --privileged.
  4. Minimal capabilitiesrunArgs: --cap-drop=ALL, --security-opt=no-new-privileges:true when the host supports it.
  5. No secret sprawl — no API keys, tokens, or .env copies in devcontainer.json; use Codespaces/VS Code secret stores if needed later.
  6. No Docker-in-Docker by default — do not mount docker.sock unless the user explicitly needs it (huge blast radius).
  7. Frozen installspostCreateCommand uses pnpm install --frozen-lockfile (or sfw pnpm install --frozen-lockfile when SFW is available in the image).
  8. Extension allowlist — only extensions that match the repo stack (read .editor/profile.json or package.json); never “install all recommended marketplace packs”.
  9. Explicit portsforwardPorts lists only ports the app actually uses (e.g. 3000).
  10. Recoverable breaks — prefer devcontainer Features over custom Dockerfile layers; if Dockerfile is required, keep it < 15 lines and document why.
Installs
2
Repository
p10ns11y/skills
GitHub Stars
1
First Seen
Jun 8, 2026
devcontainer-hardened — p10ns11y/skills