bjornmelin/docker-architect
skills/docker-architect/SKILL.md
Docker + Compose—arch, implement, harden, CI. Triggers—Dockerfile, compose, bake, dockerignore, audit, build/run debug, multi-svc dev/prod.
$ install --global
skillsauthnpx skillsauth add bjornmelin/dev-skills docker-architectInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
This skill has been flagged as suspicious. Review the scan results before using.
2 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
2
Scanners Passed
9
Scanners in report
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Suspicious
TrivyContainer and dependency vulnerability scanner
70%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 11, 2026, 3:44 AM65.8s24 files scanned
SKILL.md
- name:
- docker-architect
- description:
- Docker + Compose—arch, implement, harden, CI. Triggers—Dockerfile, compose, bake, dockerignore, audit, build/run debug, multi-svc dev/prod.
Docker Architect
Overview
Produce production-grade, secure, right-sized Docker images and Compose environments end-to-end: inventory → design → implement → test → CI. Prefer minimal, reproducible builds (multi-stage + BuildKit) and least-privilege runtime defaults.
Quick Start (always do this first)
Resolve skill_dir as the directory containing this skill before running
bundled scripts.
- Inventory the repo and existing container config:
- Run
python3 "$skill_dir/scripts/docker_inventory.py" --root .
- Run
- Choose the target:
- New containerization → follow “New build workflow”
- Existing Dockerfiles/Compose → follow “Audit + refactor workflow”
- Validate locally:
docker buildx versiondocker buildx build ...(ordocker build ...)docker compose configanddocker compose up --build
Template rendering example (edit variables per repo):
python3 "$skill_dir/scripts/render_template.py" --template .dockerignore --out .dockerignorepython3 "$skill_dir/scripts/render_template.py" --template compose/docker-compose.yml --out docker-compose.yml --var IMAGE_NAME=myapp:dev --var HOST_PORT=8000 --var CONTAINER_PORT=8000python3 "$skill_dir/scripts/render_template.py" --template compose/docker-compose.dev.yml --out docker-compose.dev.yml --var CONTAINER_PORT=8000 --var DEV_COMMAND='[\"python\",\"-m\",\"uvicorn\",\"myapp.api:app\",\"--host\",\"0.0.0.0\",\"--port\",\"8000\",\"--reload\"]'
Workflow Decision Tree
- Scope:
- Dev-only (fast iteration, source mounts, hot reload) → prefer
docker-compose.dev.yml - Prod-like (immutable images, healthchecks, least privilege) → prefer
docker-compose.yml+docker-compose.prod.yml
- Dev-only (fast iteration, source mounts, hot reload) → prefer
- Artifact type:
- Single service → one Dockerfile + optional compose for deps
- Multi-service → compose with explicit networks/volumes and healthchecks
- Publish target:
- Local only → keep simple; optional CI smoke checks
- Registry publish → add CI build/test/scan/push + provenance/SBOM (if available)
New build workflow (Dockerfile + .dockerignore + compose)
- Pick a base strategy (see
references/dockerfile_patterns.md):- Multi-stage build; runtime image is minimal; build tools stay in builder stage.
- Prefer slim/distroless where feasible; default to non-root user.
- Add
.dockerignoreearly (template inassets/templates/.dockerignore). - Create a Dockerfile from templates:
- Prefer
assets/templates/python/Dockerfile.uvfor modern Python/uv - Prefer
assets/templates/node/Dockerfile.pnpmfor Node + pnpm - Use
python3 "$skill_dir/scripts/render_template.py" ...to render with variables.
- Prefer
- Add a compose file for dependencies (DB/cache) and dev/prod profiles:
- Start from
assets/templates/compose/docker-compose.yml+ an override (assets/templates/compose/docker-compose.dev.ymlorassets/templates/compose/docker-compose.prod.yml) - Optional deps file:
assets/templates/compose/docker-compose.deps.yml
- Start from
- Local validation:
bash "$skill_dir/scripts/smoke_test_container.sh" --help- Optional:
--build-check(Docker build checks) and--pull(fresh base images) - For compose:
bash "$skill_dir/scripts/smoke_test_compose.sh" --help
Audit + refactor workflow (existing Dockerfiles/Compose)
- Inventory + static audit:
python3 "$skill_dir/scripts/docker_audit.py" --root .
- Identify high-risk issues (see
references/security_hardening.md):- Secrets in image/build args, root/privileged runtime, overly broad mounts, host networking, “latest” tags, missing healthchecks.
- Refactor incrementally:
- Keep behavior stable, then tighten (non-root, read-only fs, drop caps, pin images, shrink layers).
- Validate end-to-end:
docker buildx build ...docker compose up --buildand run the app’s normal test/health commands.
- Produce a concise report (template in
references/review_template.md).
CI integration workflow (GitHub Actions default)
- Start from
assets/templates/ci/github-actions-docker-ci.yml.- For publish + SBOM/provenance to GHCR:
assets/templates/ci/github-actions-docker-publish.yml
- For publish + SBOM/provenance to GHCR:
- Ensure CI runs:
docker buildx build(cache enabled)docker compose config(compose validation)- optional: build checks (
docker build --check) and scan/SBOM/provenance steps
- Prefer pinned action versions and least-privilege permissions (see
references/ci_github_actions.md).
“Latest/correct” research rule (do not guess)
When “latest” matters (base images, distro versions, language runtimes, CVEs):
- Use Exa to confirm current official guidance and tags (official sources preferred).
- Use
docker buildx imagetools inspect <image:tag>to confirm manifests/platforms. - If unsure, mark as
UNVERIFIEDand propose a safe default with a verification step.
Tooling leverage (when it helps)
- Exa: find current best practices, base image changes, CVE guidance, GitHub Actions deprecations.
- Context7: confirm framework-specific build outputs (e.g., Next.js, FastAPI, uvicorn/gunicorn, etc.).
- Zen: use
zen.secauditfor a structured container/security audit andzen.analyzefor architecture-sensitive compose design. - gh_grep: search public repos for battle-tested patterns (entrypoints, healthchecks, buildx/bake, compose profiles).
- opensrc: inspect dependency internals when container behavior depends on packaging details.
Bundled resources
Scripts
scripts/docker_inventory.py: detect stack + existing Docker/Compose files.scripts/docker_audit.py: heuristic linting of Dockerfiles/Compose for security/correctness.scripts/render_template.py: render templates with{{VARS}}into repo files.scripts/smoke_test_container.sh: build/run basic health check locally.scripts/smoke_test_compose.sh: validate + bring up compose and check health.
References (load as needed)
references/dockerfile_patterns.md: BuildKit, caching, multi-stage, runtime hardening.references/compose_patterns.md: compose patterns, profiles, healthchecks, secrets/configs.references/security_hardening.md: least privilege, capabilities, read-only fs, supply chain.references/ci_github_actions.md: CI build/test/scan/publish patterns.references/review_template.md: audit report format and deliverables checklist.
Assets (templates)
Templates live under assets/templates/ (Dockerfile variants, compose variants, CI workflow, .dockerignore, docker-bake.hcl).
Related Skills
bjornmelin/repo-modernizer
development
VerifiedTrustedCommunity
Repo/monorepo modernization: dependency upgrades, security fixes, deprecation cleanup, framework migrations, dependency-native refactors, and verified hard-cut simplification.
2SKILL.mdUpdated Jun 11, 2026
bjornmelin/web-waapi
development
VerifiedTrustedCommunity
Use this skill for Browser Web Animations API: Element.animate(), Animation, KeyframeEffect, playback control, generated keyframes, cancel/finish, commitStyles, and cleanup. Trigger on Element.animate, WAAPI, Web Animations API, KeyframeEffect, Animation object, commitStyles. Do not use for near-miss tasks outside these boundaries; route to adjacent motion or platform skills when they own the implementation.
2SKILL.mdUpdated Jun 11, 2026
bjornmelin/web-three-r3f
tools
VerifiedTrustedCommunity
Use this skill for Three.js, React Three Fiber, Drei, Canvas/createRoot lifecycle, loaders, GLTF, useFrame, disposal, SSR/client boundaries, DPR, and browser proof. Trigger on Three.js, THREE, @react-three/fiber, @react-three/drei, R3F Canvas, useFrame, GLTF, WebGLRenderer. Do not use for near-miss tasks outside these boundaries; route to adjacent motion or platform skills when they own the implementation.
2SKILL.mdUpdated Jun 11, 2026
bjornmelin/web-tailwind-motion
development
VerifiedTrustedCommunity
Use this skill for Tailwind CSS v4 transition, animation, duration, easing, motion-safe/motion-reduce, @theme motion tokens, and static class safety. Trigger on Tailwind animation, transition-all, motion-safe, motion-reduce, @theme, animate-, duration-. Do not use for near-miss tasks outside these boundaries; route to adjacent motion or platform skills when they own the implementation.
2SKILL.mdUpdated Jun 11, 2026