원클릭으로
sc-docker
Docker-specific security checks — image hardening, secrets in layers, compose security, and runtime configuration
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Docker-specific security checks — image hardening, secrets in layers, compose security, and runtime configuration
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-docker |
| description | Docker-specific security checks — image hardening, secrets in layers, compose security, and runtime configuration |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Performs Docker-specific security analysis covering Dockerfile best practices, secrets exposure in image layers, docker-compose security configuration, runtime security settings, and container image hardening. Extends beyond general IaC scanning with deep Docker expertise.
Called by sc-orchestrator during Phase 2 when Dockerfile or docker-compose files are detected.
**/Dockerfile*, **/docker-compose*, **/.dockerignore,
**/docker/*, **/*.dockerfile
1. Running as Root:
Check for missing USER directive after base image.
2. Secrets in Build:
# VULNERABLE: Secret in ENV or ARG
ENV DATABASE_PASSWORD=mysecret
ARG API_KEY=sk_live_abc123
COPY .env /app/.env
# SAFE: Use build secrets (BuildKit)
RUN --mount=type=secret,id=db_password cat /run/secrets/db_password
3. ADD vs COPY:
# RISKY: ADD can auto-extract and fetch URLs
ADD https://example.com/app.tar.gz /app/
ADD . /app/
# SAFE: COPY is explicit
COPY . /app/
4. Missing .dockerignore:
Without .dockerignore, sensitive files get copied into the image:
.env, .git/, node_modules/, *.pem, *.key
5. Unverified Base Image:
# RISKY: Unverified image
FROM someuser/myimage:latest
# SAFE: Official image with digest
FROM node:18-alpine@sha256:abc123...
# VULNERABLE patterns
services:
app:
privileged: true # Full host access
network_mode: host # Shares host network
pid: host # Shares host PID namespace
volumes:
- /:/host # Mounts host root
cap_add:
- ALL # All capabilities
env_file:
- .env # Secrets in env file (check .gitignore)
# SAFE patterns
services:
app:
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE # Only what's needed
tmpfs:
- /tmp