OpenSkillIndex← back to search
claude-codesecurity

Claude-skill-registry docker-security

Secure Docker containers and images with hardening, scanning, and secrets management

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/docker-security" ~/.claude/skills/majiayu000-claude-skill-registry-docker-security && rm -rf "$T"
manifest: skills/data/docker-security/SKILL.md
tags
#docker#security#hardening#vulnerability-scanning#secrets-management
source content

Docker Security Skill

Master container security hardening, vulnerability scanning, and secrets management following CIS Docker Benchmark.

Purpose

Implement security best practices for Docker containers and images including non-root users, capability dropping, and vulnerability scanning.

Parameters

ParameterTypeRequiredDefaultDescription
imagestringNo-Image to scan
severityenumNoHIGHCRITICAL/HIGH/MEDIUM/LOW
compliancestringNoCISCIS/NIST/SOC2

Security Hardening

Non-Root User (MANDATORY)

# Create non-root user
RUN addgroup -g 1001 app && \
    adduser -u 1001 -G app -D app

# Set ownership
COPY --chown=app:app . /app

# Switch user
USER app

Read-Only Filesystem

docker run --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  myapp:latest

Drop Capabilities

docker run \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  myapp:latest

Complete Hardened Run

docker run \
  --security-opt no-new-privileges:true \
  --cap-drop ALL \
  --read-only \
  --user 1001:1001 \
  --pids-limit 100 \
  --memory 512m \
  myapp:latest

Vulnerability Scanning

Trivy

# Basic scan
trivy image myapp:latest

# Filter by severity
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD integration (fail on critical)
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# JSON output
trivy image --format json --output report.json myapp:latest

Docker Scout

# Quick scan
docker scout cves myapp:latest

# Detailed report
docker scout cves --format markdown myapp:latest

Secrets Management

Docker Compose Secrets

services:
  database:
    image: postgres:16-alpine
    secrets:
      - db_password
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt

BuildKit Secrets

# syntax=docker/dockerfile:1
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
    npm install

docker build --secret id=npmrc,src=.npmrc .

Secure Dockerfile

FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER nonroot
CMD ["dist/index.js"]

Error Handling

Common Errors

ErrorCauseSolution
permission denied
Non-root userFix file ownership
read-only filesystem
Read-only modeUse tmpfs mounts
operation not permitted
Missing capabilityAdd specific cap

Fallback Strategy

  1. Start without restrictions
  2. Add security options incrementally
  3. Test each restriction

Troubleshooting

Debug Checklist

  • Running as non-root? 
    docker exec <c> id
  • Scanned for vulnerabilities?
  • Capabilities dropped?
  • Secrets not in env vars?

CIS Benchmark

docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security

Usage

Skill("docker-security")

Related Skills

  • dockerfile-basics
  • docker-production