一键导入
container-scan
Dockerfile security review. Checks for running as root, leaked secrets in build layers, insecure base images, and missing best practices.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Dockerfile security review. Checks for running as root, leaked secrets in build layers, insecure base images, and missing best practices.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Translate natural language image descriptions into detailed, structured DALL-E prompts with subject, style, composition, lighting, and mood specifications.
Decompose mathematical problems into sub-expressions, evaluate each one with the calculator tool, and present the full working chain. Handles arithmetic, trigonometry, logarithms, and financial formulas.
Compare two or more PDF documents by extracting targeted sections, building a structured comparison matrix, and highlighting differences with page references.
Extract structured data from web pages using browser snapshot and text tools, then process it into tables, comparisons, or summaries using Python.
Analyze endpoint latency trends using historical check data from memory. Detects slow degradation, spikes vs sustained issues, and calculates baseline deviations.
Validate API response structure and content. Detects schema drift, unexpected null values, and abnormal response sizes.
| name | container-scan |
| description | Dockerfile security review. Checks for running as root, leaked secrets in build layers, insecure base images, and missing best practices. |
Dockerfile security review skill. No external tools needed -- this is pure code review of Dockerfile content.
Use this skill when the repository contains Dockerfile or docker-compose.yaml files.
Read each Dockerfile with read_file. Analyze line by line for the following checks.
USER instruction means the container runs as rootUSER root without switching to a non-root user laterFROM using :latest tag or no tag at allENV or ARG instructions with password, secret, key, or token
values baked into the imageCOPY .env or COPY of credential files into the imageADD from remote URLs (use COPY + curl instead for
transparency and caching)ADD of archives without needing extraction (use COPY)HEALTHCHECK instruction in the final stageapt-get install without --no-install-recommendsrm -rf /var/lib/apt/lists/* cleanup in the same layerUSER instruction (runs as root by default)ENV or ARG instructionsCOPY .env or COPY of known credential filesADD from remote URLsscratch or distroless base images (no USER needed, no shell)HEALTHCHECK absence in builder stages (only matters in final stage)