Menu
Validate, lint, audit, or scan a Dockerfile for security and best practices.
| name | dockerfile-validator |
| description | Validate, lint, audit, or scan a Dockerfile for security and best practices. |
Validate Dockerfiles with deterministic stages, clear severity reporting, and explicit fallbacks when tools or network access are constrained.
Use this skill when the user asks for tasks like:
Use this skill for:
Do not use this skill for:
dockerfile-generator)scripts/dockerfile-validate.shreferences/security_checklist.mdreferences/optimization_guide.mdreferences/docker_best_practices.mdexamples/*.DockerfileRun these steps in order. Do not skip steps unless a documented fallback branch applies.
Assume repo root as working directory:
cd /path/to/repo
SKILL_DIR="devops-skills-plugin/skills/dockerfile-validator"
TARGET_DOCKERFILE="Dockerfile" # replace when user provides a path
Validate inputs before running tools:
test -f "$SKILL_DIR/scripts/dockerfile-validate.sh"
test -f "$TARGET_DOCKERFILE"
If either check fails, stop and report the exact missing path.
Use explicit file-read commands (not abstract "Read tool" wording):
sed -n '1,220p' "$TARGET_DOCKERFILE"
If needed for long files:
sed -n '220,440p' "$TARGET_DOCKERFILE"
Primary command:
bash "$SKILL_DIR/scripts/dockerfile-validate.sh" "$TARGET_DOCKERFILE"
Optional captured run for structured reporting:
bash "$SKILL_DIR/scripts/dockerfile-validate.sh" "$TARGET_DOCKERFILE" | tee /tmp/dockerfile-validator.out
Use this standard severity model:
Critical
High
USER)Medium
:latest image tags, missing pinning, cache-cleanup missesLow
If validation has no actionable findings:
Use fast path when all are true:
Only read references that match actual findings. Read each required file once.
Issue-to-reference mapping:
| Issue category | Trigger examples | Read this file |
|---|---|---|
| Secrets, root user, exposed sensitive ports, hardening gaps | CKV_DOCKER_*, hardcoded token/password, root runtime | references/security_checklist.md |
Image size, layer count, multi-stage opportunities, cache efficiency, .dockerignore gaps | too many RUN, single-stage with build deps, cache misses | references/optimization_guide.md |
| Tag pinning, instruction usage, COPY vs ADD, WORKDIR/CMD/ENTRYPOINT conventions | :latest, unpinned packages, instruction-level best practices | references/docker_best_practices.md |
Explicit read commands:
sed -n '1,220p' "$SKILL_DIR/references/security_checklist.md"
sed -n '1,220p' "$SKILL_DIR/references/optimization_guide.md"
sed -n '1,220p' "$SKILL_DIR/references/docker_best_practices.md"
For targeted extraction:
rg -n "USER|secrets|EXPOSE|HEALTHCHECK" "$SKILL_DIR/references/security_checklist.md"
rg -n "multi-stage|cache|layer|dockerignore" "$SKILL_DIR/references/optimization_guide.md"
rg -n "FROM|COPY|ADD|WORKDIR|CMD|ENTRYPOINT|latest" "$SKILL_DIR/references/docker_best_practices.md"
Use this template for every non-fast-path run:
## Dockerfile Validation Report
- Target: <path>
- Command: `bash <skill-script> <target>`
- Overall result: PASS | FAIL | PARTIAL (fallback)
### Critical
- <issue or `None`>
### High
- <issue or `None`>
### Medium
- <issue or `None`>
### Low
- <issue or `None`>
### Recommended Fixes
- <specific code-level fix per actionable issue>
### References Used
- <list only files actually read>
### Fallbacks Used
- `None` or exact fallback branch + reason
After reporting:
When the primary script cannot complete, use deterministic fallback branches and report them.
Condition:
Action:
# Basic syntax signal (if Docker is available)
DOCKERFILE_DIR="$(dirname "$TARGET_DOCKERFILE")"
docker build --no-cache -f "$TARGET_DOCKERFILE" "$DOCKERFILE_DIR"
# High-value static checks
grep -nEi "^[[:space:]]*FROM[[:space:]]+.*:latest" "$TARGET_DOCKERFILE" || true
grep -nEi "^[[:space:]]*(ENV|ARG)[[:space:]].*(password|secret|token|api[_-]?key)[[:space:]]*=" "$TARGET_DOCKERFILE" || true
grep -nEi "^[[:space:]]*USER[[:space:]]+(root|0(:0)?)$" "$TARGET_DOCKERFILE" || true
grep -nEi "^[[:space:]]*HEALTHCHECK[[:space:]]+" "$TARGET_DOCKERFILE" || true
PARTIAL result and clearly label skipped checks.Use hadolint container image:
docker run --rm -i hadolint/hadolint < "$TARGET_DOCKERFILE"
Run only manual regex-based checks (Fallback A step 2), clearly mark as PARTIAL, and state which scanners were skipped.
cd /path/to/repo
bash devops-skills-plugin/skills/dockerfile-validator/scripts/dockerfile-validate.sh Dockerfile
cd /path/to/repo
bash devops-skills-plugin/skills/dockerfile-validator/scripts/dockerfile-validate.sh Dockerfile.prod
cd /path/to/repo/devops-skills-plugin/skills/dockerfile-validator
bash scripts/dockerfile-validate.sh examples/good-example.Dockerfile
bash scripts/dockerfile-validate.sh examples/security-issues.Dockerfile
cd /path/to/repo
bash devops-skills-plugin/skills/dockerfile-validator/scripts/test_validate.sh
Optional strict mode for CI environments that must enforce ShellCheck:
STRICT_SHELLCHECK=true bash devops-skills-plugin/skills/dockerfile-validator/scripts/test_validate.sh
Consider this skill execution complete only when all conditions below are satisfied:
Critical, High, Medium, Low).scripts/dockerfile-validate.shscripts/test_validate.shreferences/security_checklist.mdreferences/optimization_guide.mdreferences/docker_best_practices.mdexamples/good-example.Dockerfile, examples/bad-example.Dockerfile, examples/security-issues.Dockerfile, examples/python-optimized.Dockerfile, examples/golang-distroless.DockerfileValidate, lint, audit, or fix .gitlab-ci.yml pipelines, stages, and jobs.
Generate, create, or scaffold Ansible playbooks, roles, tasks, handlers, inventory, vars.
Validate, lint, audit, or debug Ansible playbooks, roles, inventories, FQCN, tasks.
Generate/create/scaffold azure-pipelines.yml, stages, jobs, steps, or reusable templates.
Validate, lint, audit, or review azure-pipelines.yml — syntax, security, best practices.
Generate/create Fluent Bit configs — INPUT, FILTER, OUTPUT, parsers, log pipeline.