abzhaw/docker-security
meta/agents/security-agent/skills/07-docker-security/SKILL.md
Audit Docker containers for security misconfigurations, exposed ports, and resource abuse
testing
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add abzhaw/juliaz_agents docker-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 30, 2026, 12:36 PM59.0s1 file scanned
SKILL.md
- name:
- docker-security
- description:
- Audit Docker containers for security misconfigurations, exposed ports, and resource abuse
Skill: Docker Security Audit
Purpose
Docker containers add a layer of security but also a layer of risk. Misconfigured containers can expose databases, run as root, or allow container escape. This skill checks all of that.
What It Checks
Container Configuration
- Containers running as root (should specify non-root user)
- Containers with
--privilegedflag (full host access) - Mounts of sensitive host directories (
/etc,/home,/var) - Environment variables with secrets baked into the image
Port Exposure
- Ports published to
0.0.0.0(all interfaces) vs.127.0.0.1(localhost) - PostgreSQL port
5432— must NEVER be published outside localhost
Resource Limits
- Containers without memory limits (can starve the host)
- Containers without CPU limits
Image Security
- Images not updated in >30 days
- Images pulled from unverified registries (not docker.io or ghcr.io)
Commands
# Container status and ports
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" 2>/dev/null
# Check for root user
docker inspect $(docker ps -q) 2>/dev/null \
| python3 -c "
import json, sys
containers = json.load(sys.stdin)
for c in containers:
name = c['Name']
user = c['Config'].get('User', 'root (default)')
mounts = [m['Source'] for m in c.get('Mounts', [])]
print(f'{name}: user={user}, mounts={mounts}')
"
# Check for privileged containers
docker inspect $(docker ps -q) 2>/dev/null | grep -i privileged
Severity Rules
| Finding | Severity |
|---------|----------|
| --privileged container | 🔴 Critical |
| DB port exposed to 0.0.0.0 | 🔴 Critical |
| Container running as root | 🟠 High |
| Sensitive host mount | 🟠 High |
| No memory limit | 🟡 Medium |
| Image >30 days old | 🟢 Low |
Output Format
DOCKER SECURITY
postgres: ✅ localhost only, no privileged
api: ⚠️ running as root — add USER directive to Dockerfile
🔴 port 5432 exposed on 0.0.0.0 (should be 127.0.0.1 only)
Related Skills
abzhaw/thesis-tracker
development
VerifiedTrustedCommunity
Fortschrittsverfolgung der Masterarbeit. Wortanzahl pro Kapitel, Fertigstellungsgrad, fehlende Elemente, Deadlines. Haelt den Ueberblick.
SKILL.mdUpdated Mar 27, 2026
abzhaw/thesis-structure
development
VerifiedTrustedCommunity
Kapitelarchitektur und Gliederung der Masterarbeit. Verwaltet die Struktur, schlaegt vor wo Inhalte hingehoeren, validiert den logischen Fluss zwischen Kapiteln.
SKILL.mdUpdated Mar 27, 2026
abzhaw/session-synthesizer
tools
VerifiedTrustedCommunity
Konvertiert Protokolleinträge und Session-Logs in thesis-fähiges deutsches Narrativ. Transformiert Entwicklungsdokumentation in akademische Prosa.
SKILL.mdUpdated Mar 27, 2026
abzhaw/research-scout
research
VerifiedTrustedCommunity
Sucht und analysiert akademische Literatur. Findet relevante Papers, erstellt strukturierte Zusammenfassungen. Zitiert NIEMALS — schlaegt nur vor.
SKILL.mdUpdated Mar 27, 2026