Dockerfile Hardening Audit
Use this skill to statically audit Dockerfiles before insecure container defaults land in production.
What this skill does
- - Scans Dockerfiles and scores hardening risk per file
- Flags missing non-root
USER declarations - Flags base images using floating tags (
:latest, :main, :master, :edge) or no tag/digest - Flags missing �INLINECODE5
- Flags
ADD instructions (when COPY is safer/clearer) - Flags
curl|bash/wget|sh style remote script execution - Supports include/exclude regex filters and fail-gate mode
Inputs
Optional:
- -
DOCKERFILE_GLOB (default: **/Dockerfile*) - INLINECODE12� (default:
20) - INLINECODE14� (
text or json, default: text) - INLINECODE18� (default:
3) - INLINECODE20� (default:
6) - INLINECODE22� (
0/1, default: 1) - INLINECODE26� (
0/1, default: 1) - INLINECODE30� (
0/1, default: 1) - INLINECODE34� (
0/1, default: 1) - INLINECODE38� (
0/1, default: 1) - INLINECODE42� (
0/1, default: 1) - INLINECODE46� (regex include filter on Dockerfile path, optional)
- INLINECODE47� (regex exclude filter on Dockerfile path, optional)
- INLINECODE48� (
0 or 1, default: 0)
Run
Text report:
CODEBLOCK0
JSON output + fail gate:
CODEBLOCK1
Run against bundled fixtures:
CODEBLOCK2
Output contract
- - Exit
0 in report mode (default) - Exit
1 when FAIL_ON_CRITICAL=1 and one or more Dockerfiles are critical - Text mode prints summary + ranked Dockerfile risks
- JSON mode prints summary + ranked Dockerfiles + critical Dockerfiles
Dockerfile 安全审计
使用此技能在不安全的容器默认设置进入生产环境之前,对 Dockerfile 进行静态审计。
此技能的功能
- - 扫描 Dockerfile 并为每个文件评估安全风险分数
- 标记缺少非 root USER 声明的情况
- 标记使用浮动标签(:latest、:main、:master、:edge)或未指定标签/摘要的基础镜像
- 标记缺少 HEALTHCHECK 的情况
- 标记 ADD 指令(当 COPY 更安全/清晰时)
- 标记 curl|bash/wget|sh 风格的远程脚本执行
- 支持包含/排除正则表达式过滤器和失败门控模式
输入参数
可选参数:
- - DOCKERFILEGLOB(默认值:/Dockerfile*)
- TOPN(默认值:20)
- OUTPUTFORMAT(text 或 json,默认值:text)
- WARNSCORE(默认值:3)
- CRITICALSCORE(默认值:6)
- REQUIRENONROOTUSER(0/1,默认值:1)
- REQUIREHEALTHCHECK(0/1,默认值:1)
- FLAGFLOATINGTAGS(0/1,默认值:1)
- FLAGUNPINNEDIMAGES(0/1,默认值:1)
- FLAGADDINSTRUCTIONS(0/1,默认值:1)
- FLAGREMOTESCRIPTPIPE(0/1,默认值:1)
- FILEMATCH(Dockerfile 路径的正则表达式包含过滤器,可选)
- FILEEXCLUDE(Dockerfile 路径的正则表达式排除过滤器,可选)
- FAILONCRITICAL(0 或 1,默认值:0)
运行
文本报告:
bash
DOCKERFILE_GLOB=/Dockerfile* \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh
JSON 输出 + 失败门控:
bash
DOCKERFILE_GLOB=/Dockerfile* \
OUTPUT_FORMAT=json \
FAILONCRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh
针对捆绑的测试文件运行:
bash
DOCKERFILE_GLOB=skills/dockerfile-hardening-audit/fixtures/Dockerfile \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh
输出约定
- - 报告模式下退出码为 0(默认)
- 当 FAILONCRITICAL=1 且一个或多个 Dockerfile 为严重级别时,退出码为 1
- 文本模式打印摘要 + 排序后的 Dockerfile 风险
- JSON 模式打印摘要 + 排序后的 Dockerfile + 严重级别的 Dockerfile
