OpenSkillIndex← back to search
claude-codedevops

Claude-skill-registry dockerfile-review

Review Dockerfiles for best practices, security, and optimization. Use when the user says "review Dockerfile", "optimize image", "Dockerfile best practices", "reduce image size", or asks to audit a container build.

install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/dockerfile-review" ~/.claude/skills/majiayu000-claude-skill-registry-dockerfile-review && rm -rf "$T"
manifest: skills/data/dockerfile-review/SKILL.md
tags
#dockerfile#security#optimization#containerization#devops#auditing
source content

Dockerfile Review

Audit Dockerfiles for security, efficiency, and best practices.

Instructions

  1. Read the Dockerfile
  2. Check for issues in each category below
  3. Report findings with severity (critical/warning/suggestion)
  4. Provide specific fixes with corrected code

Security checks

  • MUST flag 
    USER root
    without switching back
  • MUST flag secrets in ENV, ARG, or COPY (API keys, passwords)
  • MUST flag 
    apt-get install
    without 
    --no-install-recommends
  • Flag missing 
    USER
    directive (runs as root by default)
  • Flag 
    COPY . .
    (may include secrets, .git, etc.)
  • Flag 
    :latest
    tags (unpinned versions)
  • Flag 
    curl | sh
    patterns

Optimization checks

  • Multi-stage builds for compiled languages
  • Layer ordering (least-changing first)
  • Combined RUN statements to reduce layers
  • Cache mounts for package managers: 
    --mount=type=cache
  • .dockerignore
    file exists and covers .git, node_modules, etc.
  • apt-get clean && rm -rf /var/lib/apt/lists/*
    in same layer

Best practices

# Good: pinned, non-root, minimal
FROM python:3.11-slim@sha256:abc123...
WORKDIR /app
RUN useradd -r -s /bin/false appuser
COPY requirements.txt .
RUN --mount=type=cache,target=/root/.cache/pip \
    pip install -r requirements.txt
COPY --chown=appuser:appuser . .
USER appuser
CMD ["python", "app.py"]

Output format

## Critical
- Line 5: Running as root without USER directive

## Warnings
- Line 12: Using :latest tag - pin to specific version

## Suggestions
- Line 8-10: Combine RUN statements to reduce layers

Rules

  • MUST read the Dockerfile before reviewing
  • MUST categorize issues by severity
  • Never approve Dockerfiles with hardcoded secrets
  • Always check for corresponding .dockerignore