Ejecuta cualquier Skill en Manus
con un clic

Ejecuta cualquier Skill en Manus con un clic

$pwd:

nethserver-containerfile

Name: Nethserver Containerfile
Author: NethServer

// Write and review secure, production-ready Containerfiles following NethServer container best practices. Use when creating a new Containerfile, reviewing an existing container image, or mentions "/Containerfile". Supports: (1) Rootless container configuration with non-root USER, (2) Multi-stage build separation of build and runtime, (3) Minimal and pinned base image selection (Alpine/Debian-slim), (4) Vulnerability scanning guidance with Trivy and layer inspection with Dive, (5) Renovate setup for automated dependency updates

Ejecutar en Manus

$ git log --oneline --stat

stars:1

forks:0

updated:28 de abril de 2026, 10:39

SKILL.md

readonly

name

nethserver-containerfile

description

Write and review secure, production-ready Containerfiles following NethServer container best practices. Use when creating a new Containerfile, reviewing an existing container image, or mentions "/Containerfile". Supports: (1) Rootless container configuration with non-root USER, (2) Multi-stage build separation of build and runtime, (3) Minimal and pinned base image selection (Alpine/Debian-slim), (4) Vulnerability scanning guidance with Trivy and layer inspection with Dive, (5) Renovate setup for automated dependency updates

NethServer Secure Containerfile

Overview

Write and review Containerfiles following NethServer container security best practices. Source: NethServer Development Handbook — Creating Secure Containers

Rules (apply all unless explicitly overridden)

1. Rootless containers

Always run the container as a non-root user. Add a dedicated user at the end of the build stage:

RUN adduser -D -u 1001 appuser
USER appuser

If the upstream image already defines a non-root user (e.g., node, nobody), use it. Only omit this if the software cannot run rootless and you explicitly document why.

2. Multi-stage builds

Separate the build environment from the runtime image to keep the final image small and free of build tools:

# Stage 1: Build
FROM golang:1.22 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

# Stage 2: Runtime
FROM alpine:3.20
WORKDIR /app
COPY --from=builder /app/myapp .
USER nobody
CMD ["./myapp"]

Use multi-stage builds for any compiled language (Go, Rust, Java, C/C++) and for Node.js apps that require a build step.

3. Minimal base images

Prefer minimal base images to reduce attack surface:

First choice: alpine:X.Y — smallest, fewest packages
Fallback (MUSL incompatibility): debian:X.Y-slim or ubuntu:X.Y

# Preferred
FROM alpine:3.20

# Fallback when Alpine is not compatible
FROM debian:12-slim

Never use bare distro images (FROM ubuntu, FROM debian) without the slim or minimal variant unless strictly required.

4. Pin image versions — never use `latest`

Always specify the exact version tag:

# Good
FROM alpine:3.20
FROM node:20-alpine3.20

# Bad — never do this
FROM alpine:latest
FROM node

Pinned versions ensure reproducible builds and prevent unexpected breakage from upstream changes.

5. Dependency pinning (optional, project-dependent)

When installing packages, you may pin versions for reproducibility:

# Alpine
RUN apk add --no-cache openssl=3.3.0-r0

# Debian/Ubuntu
RUN apt-get install -y --no-install-recommends openssl=3.0.11-1

Trade-off: strict pinning improves reproducibility but can delay security patches. Use Renovate (see below) to automate updates when pinning is used.

6. Automate dependency updates with Renovate

Add a renovate.json to the repository to keep base image versions and dependencies updated automatically. The NethServer default Renovate config is available at NethServer/.github.

7. No secrets in layers

Never COPY .env files, private keys, or credentials into the image.
Never pass secrets as ARG or ENV variables that end up in the final layer.
Use Docker secrets or environment injection at runtime instead.

Checklist before finishing a Containerfile

Final stage uses a non-root USER
Multi-stage build separates build and runtime (for compiled/built apps)
Base image tag is pinned (no latest)
Base image is minimal (alpine or *-slim)
No secrets or credentials baked into layers
Renovate is configured for automated updates
Image analyzed with Dive to inspect layers
Image scanned with Trivy for CVEs and secrets
SBOM generated with Trivy in CycloneDX format (.cdx.json) and attached to the release

Scanning and tooling

Trivy — vulnerability scan

# Scan a local image
trivy image myapp:latest

# Generate CycloneDX SBOM
trivy image --format cyclonedx --output myapp.cdx.json myapp:latest

Dive — layer inspection

dive myapp:latest

Use Dive to spot unnecessary files, leftover build artifacts, or accidentally included secrets.

Example: complete secure Containerfile (Go application)

# Stage 1: Build
FROM golang:1.22-alpine3.20 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o myapp .

# Stage 2: Runtime
FROM alpine:3.20
RUN apk add --no-cache ca-certificates tzdata \
    && adduser -D -u 1001 appuser
WORKDIR /app
COPY --from=builder /app/myapp .
USER appuser
EXPOSE 8080
CMD ["./myapp"]

related-skills.json

mismo repositorio

conventional-commit.md

from "NethServer/agents"

Execute git commit with conventional commit message analysis, intelligent staging, and message generation. Use when user asks to commit changes, create a git commit, or mentions "/commit". Supports: (1) Auto-detecting type and scope from changes, (2) Generating conventional commit messages from diff, (3) Interactive commit with optional type/scope/description overrides, (4) Intelligent file staging for logical grouping

2026-04-281

nethserver-issue.md

from "NethServer/agents"

Write well-structured GitHub issues following NethServer contribution guidelines. Use when the user asks to open an issue, file a bug report, request a feature, or mentions "/issue". Supports: (1) Bug report template with component, reproduction steps, and expected behavior, (2) Feature request template with user value and references, (3) Issue type selection (Bug/Feature/Design/Backend/Frontend/Task/Draft), (4) Label guidance (testing, verified, milestone goal), (5) Security vulnerability reporting rules and correct tracker URLs

2026-04-281

nethserver-pr.md

from "NethServer/agents"

Create and manage pull requests following NethServer contribution conventions. Use when the user asks to open a PR, submit a contribution, or mentions "/pr". Supports: (1) PR title and description structure with a ready-to-use template, (2) Correct issue link format for NethServer/NethVoice and NethSecurity, (3) Reviewer and self-assignee selection, (4) Merge commit conventions with issue references for automation, (5) Draft PR guidance for work-in-progress contributions

2026-04-281

nethserver-release.md

from "NethServer/agents"

Create NethServer module or package releases following semver and project-specific versioning rules. Use when the user asks to release a new version, tag a release, bump a version number, or mentions "/release". Defaults to testing/pre-release unless stable is explicitly requested. Supports: (1) Version increment decision (major/minor/patch), (2) Testing pre-release by default (X.Y.Z-testing.N suffix), (3) Stable release only on explicit user request, (4) NethServer 8/NethVoice via gh ns8-release-module, (5) NethSecurity OpenWrt versioning conventions

2026-04-281

package.json

"author": "NethServer"

"repository": "NethServer/agents"

Abrir repositorio de GitHub Ver repositorios del creador

$ install --global

$ download --local

Ejecutar en Manus

$ useful --forSOC

Desarrolladores de softwareOcupaciones informáticas y matemáticas15-1252L4

name

nethserver-containerfile

description

NethServer Secure Containerfile

Overview

Write and review Containerfiles following NethServer container security best practices. Source: NethServer Development Handbook — Creating Secure Containers

Rules (apply all unless explicitly overridden)

1. Rootless containers

Always run the container as a non-root user. Add a dedicated user at the end of the build stage:

RUN adduser -D -u 1001 appuser
USER appuser

If the upstream image already defines a non-root user (e.g., node, nobody), use it. Only omit this if the software cannot run rootless and you explicitly document why.

2. Multi-stage builds

Separate the build environment from the runtime image to keep the final image small and free of build tools:

# Stage 1: Build
FROM golang:1.22 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

# Stage 2: Runtime
FROM alpine:3.20
WORKDIR /app
COPY --from=builder /app/myapp .
USER nobody
CMD ["./myapp"]

Use multi-stage builds for any compiled language (Go, Rust, Java, C/C++) and for Node.js apps that require a build step.

3. Minimal base images

Prefer minimal base images to reduce attack surface:

First choice: alpine:X.Y — smallest, fewest packages
Fallback (MUSL incompatibility): debian:X.Y-slim or ubuntu:X.Y

# Preferred
FROM alpine:3.20

# Fallback when Alpine is not compatible
FROM debian:12-slim

Never use bare distro images (FROM ubuntu, FROM debian) without the slim or minimal variant unless strictly required.

4. Pin image versions — never use `latest`

Always specify the exact version tag:

# Good
FROM alpine:3.20
FROM node:20-alpine3.20

# Bad — never do this
FROM alpine:latest
FROM node

Pinned versions ensure reproducible builds and prevent unexpected breakage from upstream changes.

5. Dependency pinning (optional, project-dependent)

When installing packages, you may pin versions for reproducibility:

# Alpine
RUN apk add --no-cache openssl=3.3.0-r0

# Debian/Ubuntu
RUN apt-get install -y --no-install-recommends openssl=3.0.11-1

Trade-off: strict pinning improves reproducibility but can delay security patches. Use Renovate (see below) to automate updates when pinning is used.

6. Automate dependency updates with Renovate

Add a renovate.json to the repository to keep base image versions and dependencies updated automatically. The NethServer default Renovate config is available at NethServer/.github.

7. No secrets in layers

Never COPY .env files, private keys, or credentials into the image.
Never pass secrets as ARG or ENV variables that end up in the final layer.
Use Docker secrets or environment injection at runtime instead.

Checklist before finishing a Containerfile

Final stage uses a non-root USER
Multi-stage build separates build and runtime (for compiled/built apps)
Base image tag is pinned (no latest)
Base image is minimal (alpine or *-slim)
No secrets or credentials baked into layers
Renovate is configured for automated updates
Image analyzed with Dive to inspect layers
Image scanned with Trivy for CVEs and secrets
SBOM generated with Trivy in CycloneDX format (.cdx.json) and attached to the release

Scanning and tooling

Trivy — vulnerability scan

# Scan a local image
trivy image myapp:latest

# Generate CycloneDX SBOM
trivy image --format cyclonedx --output myapp.cdx.json myapp:latest

Dive — layer inspection

dive myapp:latest

Use Dive to spot unnecessary files, leftover build artifacts, or accidentally included secrets.

Example: complete secure Containerfile (Go application)

# Stage 1: Build
FROM golang:1.22-alpine3.20 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o myapp .

# Stage 2: Runtime
FROM alpine:3.20
RUN apk add --no-cache ca-certificates tzdata \
    && adduser -D -u 1001 appuser
WORKDIR /app
COPY --from=builder /app/myapp .
USER appuser
EXPOSE 8080
CMD ["./myapp"]

nethserver-containerfile

NethServer Secure Containerfile

Overview

Rules (apply all unless explicitly overridden)

1. Rootless containers

2. Multi-stage builds

3. Minimal base images

4. Pin image versions — never use latest

5. Dependency pinning (optional, project-dependent)

6. Automate dependency updates with Renovate

7. No secrets in layers

Checklist before finishing a Containerfile

Scanning and tooling

Trivy — vulnerability scan

Dive — layer inspection

Example: complete secure Containerfile (Go application)

Más de este repositorio

Más de este repositorio

NethServer Secure Containerfile

Overview

Rules (apply all unless explicitly overridden)

1. Rootless containers

2. Multi-stage builds

3. Minimal base images

4. Pin image versions — never use latest

5. Dependency pinning (optional, project-dependent)

6. Automate dependency updates with Renovate

7. No secrets in layers

Checklist before finishing a Containerfile

Scanning and tooling

Trivy — vulnerability scan

Dive — layer inspection

Example: complete secure Containerfile (Go application)

4. Pin image versions — never use `latest`

4. Pin image versions — never use `latest`