sutanunandigrami/docker-security
dot-claude/skills/docker-security/SKILL.md
Container hardening, image security, and Docker best practices. Use when building, scanning, or securing containers and images.
$ install --global
skillsauthnpx skillsauth add sutanunandigrami/claude-titan-setup docker-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 2:23 AM10.5s1 file scanned
SKILL.md
- name:
- docker-security
- description:
- Container hardening, image security, and Docker best practices. Use when building, scanning, or securing containers and images.
- paths:
- **/Dockerfile*,**/docker-compose*,**/.dockerignore,**/docker-compose.yml,**/docker-compose.yaml,**/docker-bake*
Docker Security
Image Build Security
- Lint before build:
hadolint Dockerfile - Scan immediately:
trivy image <org>/<app>:<tag>— catch CVEs before registry push - Generate SBOM:
syft <org>/<app>:<tag> -o spdx-json > sbom.spdx.json - Check layers:
dive <org>/<app>:<tag>— identify bloat, leaked files
Image Hardening Checklist
- Base image: Use distroless or Chainguard —
gcr.io/distroless/base:nonrootorcgr.io/chainguard/base:latest - No root:
RUN useradd -m -u 1000 app && chown -R app:app /app→USER app - Read-only FS:
docker run --read-only --tmpfs /tmp --tmpfs /run <image> - Drop caps:
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE <image> - No secrets in layers: Use
RUN --mount=type=secret(Docker 18.04+)
Docker Compose Security
services:
app:
image: <image>:<pinned-tag> # Never use latest in prod
user: "1000:1000"
read_only: true
cap_drop: [ALL]
cap_add: [NET_BIND_SERVICE]
tmpfs: [/tmp, /run]
security_opt:
- no-new-privileges:true
networks:
- internal
networks:
internal:
driver: bridge
driver_opts:
com.docker.network.bridge.enable_icc: "false" # Block inter-container comms
Secret Scanning
trivy image --scan-secrets <org>/<app>:<tag> # Leaked secrets in layers
grype <org>/<app>:<tag> # CVE + secret detection
gitleaks detect . # Pre-push secret scan
Registry Hardening
cosign sign <image>:<tag> # Sign (requires COSIGN_KEY env)
cosign verify --key cosign.pub <image>:<tag> # Verify on pull
trivy image --severity HIGH,CRITICAL --exit-code 1 <image>:<tag> # Gate in CI
crane manifest <image>:<tag> | jq . # Inspect remote manifest
cosign tree <image>:<tag> # Check provenance + attestations
Runtime Security
docker run --security-opt apparmor=docker-default <image> # AppArmor profile
docker run -m 512m --cpus=1 <image> # Limit resources (DoS protection)
docker run -v /data:/data:ro <image> # Read-only volume mounts
docker run --security-opt no-new-privileges:true <image> # Block privilege escalation
# Verify storage driver: docker info | grep "Storage Driver" (should be overlay2)
Multi-Stage Build (Minimal Attack Surface)
# Stage 1: Build
FROM golang:1.21 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp .
# Stage 2: Runtime (distroless — no shell, no package manager)
FROM gcr.io/distroless/base:nonroot
COPY --from=builder /app/myapp /myapp
USER nonroot
ENTRYPOINT ["/myapp"]
Rules
- NEVER pin
latesttag in deployments — use commit SHA or semver - NEVER copy entire filesystem — COPY selectively + maintain
.dockerignore - NEVER log secrets to stdout/stderr (ends up in container logs)
- ALWAYS group
apt-get install && apt-get cleanin single RUN layer - ALWAYS use multi-stage builds to minimize final image size
- ALWAYS scan images in CI before push (
trivy --exit-code 1on CRITICAL) - NEVER run containers with
--privilegedunless absolutely necessary
Related Skills
sutanunandigrami/dot-claude/skills/workspace
tools
VerifiedTrustedCommunity
Project workspace configuration — auto-detect commands, _workspace.json convention, .envrc templates
9SKILL.mdUpdated Apr 15, 2026
sutanunandigrami/VibeSec-Skill
development
VerifiedTrustedCommunity
This skill helps Claude write secure web applications. Use this when working on any web application or when a user requests a scan or audit to ensure security best practices are followed.
9SKILL.mdUpdated Apr 15, 2026
sutanunandigrami/modern-python
tools
VerifiedTrustedCommunity
Configures Python projects with modern tooling (uv, ruff, ty). Use when creating projects, writing standalone scripts, or migrating from pip/Poetry/mypy/black.
9SKILL.mdUpdated Apr 15, 2026
sutanunandigrami/dot-claude/skills/tmux-control
tools
VerifiedTrustedCommunity
Control tmux sessions — create panes, run commands, read output, monitor processes
9SKILL.mdUpdated Apr 15, 2026