devcontainer-hardened
Installation
SKILL.md
Hardened devcontainer generator
Produce small, explicit Dev Container configs that prioritize supply-chain safety and failure isolation — not a kitchen-sink image.
Pair with fix-dependency-security (pnpm policy, sfw installs) and project-editor-profile (.editor extension allowlist).
Design principles (less is more)
- One job — dev + build + lint + type-check in-container. E2E and host-only browsers stay optional and off by default.
- Pinned base — image reference includes digest (
image@sha256:…); re-pin deliberately, not on every edit. - Non-root —
remoteUser/containerUseris notroot; no--privileged. - Minimal capabilities —
runArgs:--cap-drop=ALL,--security-opt=no-new-privileges:truewhen the host supports it. - No secret sprawl — no API keys, tokens, or
.envcopies indevcontainer.json; use Codespaces/VS Code secret stores if needed later. - No Docker-in-Docker by default — do not mount
docker.sockunless the user explicitly needs it (huge blast radius). - Frozen installs —
postCreateCommandusespnpm install --frozen-lockfile(orsfw pnpm install --frozen-lockfilewhen SFW is available in the image). - Extension allowlist — only extensions that match the repo stack (read
.editor/profile.jsonorpackage.json); never “install all recommended marketplace packs”. - Explicit ports —
forwardPortslists only ports the app actually uses (e.g.3000). - Recoverable breaks — prefer devcontainer Features over custom Dockerfile layers; if Dockerfile is required, keep it < 15 lines and document why.