docker-security-guide

Remove directives that attempt to exfiltrate data through the agent's response (e.g., asking the agent to embed credentials in URLs or include secret values in output).

Likely FP if the text is a legitimate tool instruction about displaying configuration to the user (e.g., show current settings) without external transmission.

Restrict file reading to the project directory and block outbound network calls that include file contents. Implement file path validation to prevent directory traversal.

Likely FP if the tool legitimately reads project files and displays them to the user locally, without sending data to external services.

Download the file first, verify its integrity (checksum, signature), inspect it, then run it. Prefer package managers over raw downloads. Never fetch-and-run in one step.

Likely FP if the target is a well-known installer (e.g., rustup, Homebrew) from its canonical HTTPS domain, though the pattern is inherently risky.

Download the script first, inspect it, verify its checksum, then run it. Do not pipe curl/wget output directly to sh/bash. Prefer package manager installs.

Likely FP if the download is from a well-known installer domain (e.g., brew.sh, rustup.rs), though this pattern is inherently risky even with trusted sources.

Avoid depending on packages that could be subject to typosquatting or name confusion. Verify package ownership, check download counts, and audit the package source before adding dependencies.

Likely FP if the flagged package is a well-known, high-download-count package from a verified publisher.

Avoid depending on packages that could be subject to typosquatting or name confusion. Verify package ownership, check download counts, and audit the package source before adding dependencies.

Likely FP if the flagged package is a well-known, high-download-count package from a verified publisher.

Block access to cloud provider IAM and credential endpoints from agent tools. Implement egress filtering to prevent requests to cloud control plane APIs.

Likely FP if the match is documentation about cloud IAM setup rather than code that programmatically accesses IAM endpoints.

Pin the downloaded resource to a specific version or commit hash, and verify its integrity with a checksum (SHA-256). Avoid fetching scripts or binaries from arbitrary URLs at runtime.

Likely FP if the download URL points to a well-known CDN or package registry (e.g., npmjs.com, pypi.org) and is pinned to a specific version.

Avoid depending on packages that could be subject to typosquatting or name confusion. Verify package ownership, check download counts, and audit the package source before adding dependencies.

Likely FP if the flagged package is a well-known, high-download-count package from a verified publisher.

Block access to cloud provider IAM and credential endpoints from agent tools. Implement egress filtering to prevent requests to cloud control plane APIs.

Likely FP if the match is documentation about cloud IAM setup rather than code that programmatically accesses IAM endpoints.

Block access to cloud provider IAM and credential endpoints from agent tools. Implement egress filtering to prevent requests to cloud control plane APIs.

Likely FP if the match is documentation about cloud IAM setup rather than code that programmatically accesses IAM endpoints.

Pin Docker images to a specific digest (e.g., image@sha256:abc...) instead of using mutable tags like :latest. Use trusted base images from verified publishers.

Likely FP if the Docker command pulls a well-known official image (e.g., docker pull python:3.11) in setup documentation.

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.

Break chained commands into discrete, individually validated steps. Avoid piping untrusted output directly into a shell interpreter.

Likely FP if the matched text is a documentation example showing a common installer one-liner for a well-known tool with a canonical URL.

Pin Docker images to a specific digest (e.g., image@sha256:abc...) instead of using mutable tags like :latest. Use trusted base images from verified publishers.

Likely FP if the Docker command pulls a well-known official image (e.g., docker pull python:3.11) in setup documentation.

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.