| name | docker-hardening |
| description | Reviews Dockerfiles and container configuration for security, reproducibility, image size, runtime permissions, and deployment reliability. |
Docker Hardening
Use this skill when reviewing or improving Dockerfiles, Compose files, container runtime flags, or image build workflows.
Inputs
- Dockerfile, compose file, build logs, image metadata, deployment environment, and application runtime requirements
Steps
- Review base image choice, version pinning, architecture, and maintenance status.
- Check build reproducibility: pinned dependencies, deterministic package install, cache hygiene, and lockfile use.
- Reduce image size where it also improves reliability or security: multi-stage builds, minimal runtime dependencies, and cleaned package caches.
- Review runtime security: non-root user, file permissions, capabilities, read-only filesystem, secrets handling, exposed ports, and health checks.
- Check supply-chain risk: curl-pipe-shell, unsigned downloads, mutable tags, and unverified artifacts.
- Validate operational readiness: signals, graceful shutdown, logging, startup command, environment variables, and resource expectations.
Output
Return:
- Container risk summary
- Recommended Dockerfile/config changes
- Security hardening checklist
- Reproducibility and size notes
- Validation commands such as build, run, scan, or smoke test
Guidelines
- Do not optimize image size at the expense of clarity or correctness.
- Prefer pinned, maintained base images.
- Keep production runtime separate from build tooling when practical.