bagelhole/container-hardening
security/hardening/container-hardening/SKILL.md
Secure Docker images and container runtime configurations. Implement non-root users, read-only filesystems, and security contexts. Use when building secure container images or hardening container deployments.
$ install --global
skillsauthnpx skillsauth add bagelhole/devops-security-agent-skills container-hardeningInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 3, 2026, 5:06 PM4.4s2 files scanned
SKILL.md
- name:
- container-hardening
- description:
- Secure Docker images and container runtime configurations. Implement non-root users, read-only filesystems, and security contexts. Use when building secure container images or hardening container deployments.
- license:
- MIT
- author:
- devops-skills
- version:
- 1.0
Container Hardening
Secure container images and runtime configurations.
When to Use This Skill
Use this skill when:
- Building secure container images
- Hardening container deployments
- Meeting container security requirements
- Implementing defense in depth
Dockerfile Security
# Use minimal base image
FROM alpine:3.18
# Don't run as root
RUN addgroup -g 1001 -S appgroup && \
adduser -u 1001 -S appuser -G appgroup
# Copy with specific ownership
COPY --chown=appuser:appgroup . /app
# Remove unnecessary packages
RUN apk del --purge build-dependencies && \
rm -rf /var/cache/apk/*
# Use non-root user
USER appuser
# Read-only filesystem support
WORKDIR /app
Runtime Security
# Run with security options
docker run -d \
--read-only \
--tmpfs /tmp \
--security-opt=no-new-privileges:true \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--user 1001:1001 \
myapp:latest
Kubernetes Security Context
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1001
fsGroup: 1001
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
Image Scanning
# Scan with Trivy
trivy image --severity HIGH,CRITICAL myapp:latest
# Use distroless images
FROM gcr.io/distroless/static-debian11
Best Practices
- Use minimal base images
- Run as non-root user
- Enable read-only filesystem
- Drop all capabilities
- Scan images regularly
- Sign and verify images
- Use secrets management
Related Skills
- container-scanning - Vulnerability scanning
- kubernetes-hardening - K8s security
Related Skills
bagelhole/sre-dashboards
development
VerifiedTrustedCommunity
Design and operationalize SRE dashboards that surface reliability, latency, error, saturation, and capacity signals across services. Use when building observability views for SLOs, incident response, and executive reliability reporting.
28SKILL.mdUpdated May 23, 2026
bagelhole/openclaw-security-hardening
testing
VerifiedTrustedCommunity
Harden OpenClaw self-hosted environments with baseline host controls, auth tightening, secret handling, network segmentation, and safe update/rollback workflows. Use when deploying OpenClaw in home labs, startups, or production-like local AI infrastructure.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/vector-database-ops
devops
VerifiedTrustedCommunity
Deploy, manage, and optimize vector databases for AI applications. Covers Qdrant, Weaviate, pgvector, and Pinecone — collection management, indexing strategies, backup, and performance tuning for production RAG and semantic search workloads.
28SKILL.mdUpdated Apr 3, 2026
bagelhole/model-serving-kubernetes
testing
VerifiedTrustedCommunity
Deploy ML models on Kubernetes with KServe (formerly KFServing) and NVIDIA Triton Inference Server. Includes canary deployments, autoscaling, model versioning, A/B testing, and GPU resource management for production model serving.
28SKILL.mdUpdated Apr 3, 2026