OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry container-scanner

Scans containers and Dockerfiles for security issues. Wraps Hadolint for Dockerfile linting and Trivy for container image scanning. Use when user asks to "scan Dockerfile", "lint Dockerfile", "container security", "image scan", "Dockerセキュリティ", "コンテナスキャン".

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/container-scanner" ~/.claude/skills/majiayu000-claude-skill-registry-container-scanner && rm -rf "$T"
manifest: skills/data/container-scanner/SKILL.md
tags
#docker-scanning#security-audit#dockerfile-linting#trivy-integration#hadolint-wrapper
source content

Container Scanner

Wrapper for Hadolint and Trivy to scan Dockerfiles and container images.

Prerequisites

# Hadolint (Dockerfile linting)
brew install hadolint
# or
docker pull hadolint/hadolint

# Trivy (container image scanning)
brew install trivy
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin

Usage

# Lint Dockerfile
npx container-scanner lint Dockerfile

# Scan container image
npx container-scanner image nginx:latest

# Both operations with JSON output
npx container-scanner lint Dockerfile --json
npx container-scanner image myapp:v1 --json

# Check available tools
npx container-scanner --check

Hadolint Rules

Common Dockerfile best practices checked:

RuleDescription
DL3000Use absolute WORKDIR
DL3001For some POSIX utilities, you can skip using apt-get
DL3002Last USER should not be root
DL3003Use WORKDIR to switch directories
DL3006Always tag the version of an image explicitly
DL3007Using latest is prone to errors
DL3008Pin versions in apt get install
DL3009Delete apt-get lists after installing
DL3018Pin versions in apk add
DL4006Set SHELL option -o pipefail

Output Format

Dockerfile Lint

{
  "tool": "hadolint",
  "scanPath": "Dockerfile",
  "findings": [
    {
      "id": "DL3007",
      "severity": "warning",
      "line": 1,
      "message": "Using latest is prone to errors...",
      "file": "Dockerfile"
    }
  ],
  "summary": { "total": 1, "error": 0, "warning": 1, "info": 0 }
}

Image Scan

{
  "tool": "trivy",
  "image": "nginx:latest",
  "findings": [
    {
      "id": "CVE-2024-1234",
      "severity": "critical",
      "package": "openssl",
      "installedVersion": "1.1.1",
      "fixedVersion": "1.1.2",
      "title": "Buffer Overflow"
    }
  ],
  "summary": { "total": 5, "critical": 1, "high": 2, "medium": 2 }
}

Exit Codes

  • 0
    : No issues found
  • 1
    : Issues detected
  • 2
    : Tool not installed or error