Run any Skill in Manus with one click

docker-security

Container hardening, image security, and Docker best practices. Use when building, scanning, or securing containers and images.

Run Skill in Manus

Overview

Container hardening, image security, and Docker best practices. Use when building, scanning, or securing containers and images.

Install command

npx skills add https://github.com/SutanuNandigrami/claude-titan-setup --skill docker-security

Copy and paste this command into Claude Code to install the skill

Source

SutanuNandigrami/claude-titan-setup

Stars9

Forks2

UpdatedMarch 19, 2026 at 11:44

SKILL.md

readonly

name	docker-security
description	Container hardening, image security, and Docker best practices. Use when building, scanning, or securing containers and images.
paths	*/Dockerfile,*/docker-compose,/.dockerignore,/docker-compose.yml,/docker-compose.yaml,/docker-bake*

Docker Security

Image Build Security

Lint before build: hadolint Dockerfile
Scan immediately: trivy image <org>/<app>:<tag> — catch CVEs before registry push
Generate SBOM: syft <org>/<app>:<tag> -o spdx-json > sbom.spdx.json
Check layers: dive <org>/<app>:<tag> — identify bloat, leaked files

Image Hardening Checklist

Base image: Use distroless or Chainguard — gcr.io/distroless/base:nonroot or cgr.io/chainguard/base:latest
No root: RUN useradd -m -u 1000 app && chown -R app:app /app → USER app
Read-only FS: docker run --read-only --tmpfs /tmp --tmpfs /run <image>
Drop caps: docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE <image>
No secrets in layers: Use RUN --mount=type=secret (Docker 18.04+)

Docker Compose Security

services:
  app:
    image: <image>:<pinned-tag>   # Never use latest in prod
    user: "1000:1000"
    read_only: true
    cap_drop: [ALL]
    cap_add: [NET_BIND_SERVICE]
    tmpfs: [/tmp, /run]
    security_opt:
      - no-new-privileges:true
    networks:
      - internal

networks:
  internal:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "false"  # Block inter-container comms

Secret Scanning

trivy image --scan-secrets <org>/<app>:<tag>   # Leaked secrets in layers
grype <org>/<app>:<tag>                        # CVE + secret detection
gitleaks detect .                              # Pre-push secret scan

Registry Hardening

cosign sign <image>:<tag>                         # Sign (requires COSIGN_KEY env)
cosign verify --key cosign.pub <image>:<tag>      # Verify on pull
trivy image --severity HIGH,CRITICAL --exit-code 1 <image>:<tag>  # Gate in CI
crane manifest <image>:<tag> | jq .               # Inspect remote manifest
cosign tree <image>:<tag>                         # Check provenance + attestations

Runtime Security

docker run --security-opt apparmor=docker-default <image>   # AppArmor profile
docker run -m 512m --cpus=1 <image>                          # Limit resources (DoS protection)
docker run -v /data:/data:ro <image>                         # Read-only volume mounts
docker run --security-opt no-new-privileges:true <image>     # Block privilege escalation
# Verify storage driver: docker info | grep "Storage Driver" (should be overlay2)

Multi-Stage Build (Minimal Attack Surface)

# Stage 1: Build
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp .

# Stage 2: Runtime (distroless — no shell, no package manager)
FROM gcr.io/distroless/base:nonroot
COPY --from=builder /app/myapp /myapp
USER nonroot
ENTRYPOINT ["/myapp"]

Rules

NEVER pin latest tag in deployments — use commit SHA or semver
NEVER copy entire filesystem — COPY selectively + maintain .dockerignore
NEVER log secrets to stdout/stderr (ends up in container logs)
ALWAYS group apt-get install && apt-get clean in single RUN layer
ALWAYS use multi-stage builds to minimize final image size
ALWAYS scan images in CI before push (trivy --exit-code 1 on CRITICAL)
NEVER run containers with --privileged unless absolutely necessary

More from this repository

same repository

cli-tools

SutanuNandigrami/claude-titan-setup

Reference for 100+ installed CLI tools. Use when working with any CLI tool, searching files, processing data, managing containers, infrastructure, security scanning, or system monitoring.

2026-03-229

security-scan

SutanuNandigrami/claude-titan-setup

Security scanning and vulnerability assessment workflows. Use when performing security audits, scanning for vulnerabilities, checking dependencies, or hardening systems.

2026-03-229

add-cli-tool

SutanuNandigrami/claude-titan-setup

Add a new CLI tool to the titan setup and make it usable immediately. Use when installing a new CLI tool, registering a tool in the setup script, updating the tool inventory, or when the user says "add tool", "new CLI tool", "register tool", "install X to titan". Also triggers on "I installed X", "add X to the setup", or any request to add a CLI tool to the workstation.

2026-03-199

git-workflow

SutanuNandigrami/claude-titan-setup

Git branching, commit, and PR conventions. Use when creating branches, making commits, or opening PRs.

2026-03-199

infra-deploy

SutanuNandigrami/claude-titan-setup

Infrastructure as Code workflows with Terraform, Ansible, Docker, and Kubernetes. Use when provisioning, configuring, deploying, or managing infrastructure.

2026-03-199

notebooklm-skills

SutanuNandigrami/claude-titan-setup

Transform files and folders into learning materials using NotebookLM. Actions: transform, convert, generate, create from files. Outputs: audio podcast, video explainer, slide deck, study guide, quiz, flashcards, infographic, mind map, briefing doc, report. Sources: PDF, text files, URLs, folders, subfolders. Features: batch processing, watermark removal, progress tracking, configurable granularity.

2026-03-199

Source

SutanuNandigrami

SutanuNandigrami/claude-titan-setup

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Network and Computer Systems AdministratorsComputer and Mathematical Occupations15-1244L4

name	docker-security
description	Container hardening, image security, and Docker best practices. Use when building, scanning, or securing containers and images.
paths	*/Dockerfile,*/docker-compose,/.dockerignore,/docker-compose.yml,/docker-compose.yaml,/docker-bake*

Docker Security

Image Build Security

Lint before build: hadolint Dockerfile
Scan immediately: trivy image <org>/<app>:<tag> — catch CVEs before registry push
Generate SBOM: syft <org>/<app>:<tag> -o spdx-json > sbom.spdx.json
Check layers: dive <org>/<app>:<tag> — identify bloat, leaked files

Image Hardening Checklist

Base image: Use distroless or Chainguard — gcr.io/distroless/base:nonroot or cgr.io/chainguard/base:latest
No root: RUN useradd -m -u 1000 app && chown -R app:app /app → USER app
Read-only FS: docker run --read-only --tmpfs /tmp --tmpfs /run <image>
Drop caps: docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE <image>
No secrets in layers: Use RUN --mount=type=secret (Docker 18.04+)

Docker Compose Security

services:
  app:
    image: <image>:<pinned-tag>   # Never use latest in prod
    user: "1000:1000"
    read_only: true
    cap_drop: [ALL]
    cap_add: [NET_BIND_SERVICE]
    tmpfs: [/tmp, /run]
    security_opt:
      - no-new-privileges:true
    networks:
      - internal

networks:
  internal:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "false"  # Block inter-container comms

Secret Scanning

trivy image --scan-secrets <org>/<app>:<tag>   # Leaked secrets in layers
grype <org>/<app>:<tag>                        # CVE + secret detection
gitleaks detect .                              # Pre-push secret scan

Registry Hardening

cosign sign <image>:<tag>                         # Sign (requires COSIGN_KEY env)
cosign verify --key cosign.pub <image>:<tag>      # Verify on pull
trivy image --severity HIGH,CRITICAL --exit-code 1 <image>:<tag>  # Gate in CI
crane manifest <image>:<tag> | jq .               # Inspect remote manifest
cosign tree <image>:<tag>                         # Check provenance + attestations

Runtime Security

docker run --security-opt apparmor=docker-default <image>   # AppArmor profile
docker run -m 512m --cpus=1 <image>                          # Limit resources (DoS protection)
docker run -v /data:/data:ro <image>                         # Read-only volume mounts
docker run --security-opt no-new-privileges:true <image>     # Block privilege escalation
# Verify storage driver: docker info | grep "Storage Driver" (should be overlay2)

Multi-Stage Build (Minimal Attack Surface)

# Stage 1: Build
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp .

# Stage 2: Runtime (distroless — no shell, no package manager)
FROM gcr.io/distroless/base:nonroot
COPY --from=builder /app/myapp /myapp
USER nonroot
ENTRYPOINT ["/myapp"]

Rules

NEVER pin latest tag in deployments — use commit SHA or semver
NEVER copy entire filesystem — COPY selectively + maintain .dockerignore
NEVER log secrets to stdout/stderr (ends up in container logs)
ALWAYS group apt-get install && apt-get clean in single RUN layer
ALWAYS use multi-stage builds to minimize final image size
ALWAYS scan images in CI before push (trivy --exit-code 1 on CRITICAL)
NEVER run containers with --privileged unless absolutely necessary