Bundled Assertions

deployment-standards.yaml

Container deployment standards for Docker Compose services. Covers image versioning, restart policies, health checks, logging, security, and networking. Source: OPS-DOCKER-001.

12 assertions: 7 must severity, 5 should severity. 10 have machine-evaluable match conditions; 2 are LLM-context only.

Usage

decoct compress docker-compose.yml --assertions deployment-standards
# or via the bundled profile:
decoct compress docker-compose.yml --profile docker-compose

Assertions

`ops-image-pinned` (must)

Image tags must be pinned to specific versions, not :latest.

Path: services.*.image
Condition: pattern: ^(?!.*:latest$)(?=.*:.+$)
Conformant: nginx:1.25.3 — stripped by strip-conformant
Non-conformant: nginx:latest — annotated with [!]

`ops-restart-policy` (must)

Restart policy must be unless-stopped or always.

Path: services.*.restart
Condition: pattern: ^(unless-stopped|always)$
Conformant: stripped | Non-conformant: annotated

`ops-container-name` (must)

Container name must be explicitly set.

Path: services.*.container_name
Condition: exists: true
Effect: Missing keys are reported as deviations (no value to strip)

`ops-healthcheck` (must)

All application containers must have health checks configured.

Path: services.*.healthcheck
Condition: exists: true
Exceptions: Infrastructure-only containers may rely on built-in health mechanisms

`ops-logging-driver` (must)

Logging driver must be json-file.

Path: services.*.logging.driver
Condition: value: json-file
Conformant: stripped | Non-conformant: # [!] standard: json-file

`ops-logging-max-size` (must)

Log rotation max-size must be configured.

Path: services.*.logging.options.max-size
Condition: pattern: .+

`ops-logging-max-file` (must)

Log rotation max-file must be configured.

Path: services.*.logging.options.max-file
Condition: pattern: .+

`ops-security-opt` (should)

Containers should set no-new-privileges security option.

Path: services.*.security_opt
Condition: contains: no-new-privileges:true
Effect: Not stripped (should severity), but deviations are annotated

`ops-no-privileged` (must)

Containers must not run in privileged mode.

Path: services.*.privileged
Condition: value: false
Conformant: stripped | Non-conformant: # [!] standard: false

`ops-resource-limits` (should)

Production and multi-container stacks should define resource limits.

Match: None (LLM-context only)
Effect: Included as context for LLM consumers; no automated stripping or annotation

`ops-named-networks` (should)

Services should use named networks, not the default bridge.

Match: None (LLM-context only)

`ops-no-host-0000` (should)

Ports must not bind to 0.0.0.0; use specific IPs or 127.0.0.1.

Match: None (LLM-context only)

Coverage Summary

Area	Assertions	Machine-Evaluable
Image versioning	`ops-image-pinned`	Yes
Restart policy	`ops-restart-policy`	Yes
Container naming	`ops-container-name`	Yes
Health checks	`ops-healthcheck`	Yes
Logging	`ops-logging-driver`, `ops-logging-max-size`, `ops-logging-max-file`	Yes
Security	`ops-security-opt`, `ops-no-privileged`	Yes
Resources	`ops-resource-limits`	No
Networking	`ops-named-networks`, `ops-no-host-0000`	No

Limitations

exists assertions cannot attach inline YAML comments to absent keys; deviations appear only in the pass report
Variable substitution (${IMAGE_TAG:-latest}) is not expanded during evaluation
Resource limits and port binding assertions are LLM-context only (no match condition)
should-severity assertions are annotated but not stripped (by design)

Bundled Assertions

deployment-standards.yaml

Usage

Assertions

ops-image-pinned (must)

ops-restart-policy (must)

ops-container-name (must)

ops-healthcheck (must)

ops-logging-driver (must)

ops-logging-max-size (must)

ops-logging-max-file (must)

ops-security-opt (should)

ops-no-privileged (must)

ops-resource-limits (should)

ops-named-networks (should)

ops-no-host-0000 (should)