TopRank Skills
Home / Claw Skills / 其他 / dockerfile-hardening-audit
Official OpenClaw rules 15%

dockerfile-hardening-audit

Statically audit Dockerfiles for common container hardening risks (root user, unpinned/latest base images, missing healthchecks, and risky build patterns).

View Source SKILL.md

Stars

0

Installs

0

Status

ACTIVE

Visibility

PUBLIC

安装方式

直接复制以下提示词,发送给你的 AI 助手即可完成安装。

请先检查是否已安装 SkillHub 商店,若未安装,请根据 https://skillhub-1388575217.cos.ap-guangzhou.myqcloud.com/install/skillhub.md 安装 SkillHub 商店,然后安装 dockerfile-hardening-audit 技能。 若已安装,则直接安装 dockerfile-hardening-audit 技能。

Overview

Skill Key
daniellummis/dockerfile-hardening-audit
Author
daniellummis
Source Repo
openclaw/skills
Version
1.0.0
Source Path
skills/daniellummis/dockerfile-hardening-audit
Latest Commit SHA
19f0c72868adaa52e9f34fe2956a121c1fb6993f

Extracted Content

SKILL.md excerpt

# Dockerfile Hardening Audit

Use this skill to statically audit Dockerfiles before insecure container defaults land in production.

## What this skill does
- Scans Dockerfiles and scores hardening risk per file
- Flags missing non-root `USER` declarations
- Flags base images using floating tags (`:latest`, `:main`, `:master`, `:edge`) or no tag/digest
- Flags missing `HEALTHCHECK`
- Flags `ADD` instructions (when `COPY` is safer/clearer)
- Flags `curl|bash`/`wget|sh` style remote script execution
- Supports include/exclude regex filters and fail-gate mode

## Inputs
Optional:
- `DOCKERFILE_GLOB` (default: `**/Dockerfile*`)
- `TOP_N` (default: `20`)
- `OUTPUT_FORMAT` (`text` or `json`, default: `text`)
- `WARN_SCORE` (default: `3`)
- `CRITICAL_SCORE` (default: `6`)
- `REQUIRE_NON_ROOT_USER` (`0`/`1`, default: `1`)
- `REQUIRE_HEALTHCHECK` (`0`/`1`, default: `1`)
- `FLAG_FLOATING_TAGS` (`0`/`1`, default: `1`)
- `FLAG_UNPINNED_IMAGES` (`0`/`1`, default: `1`)
- `FLAG_ADD_INSTRUCTIONS` (`0`/`1`, default: `1`)
- `FLAG_REMOTE_SCRIPT_PIPE` (`0`/`1`, default: `1`)
- `FILE_MATCH` (regex include filter on Dockerfile path, optional)
- `FILE_EXCLUDE` (regex exclude filter on Dockerfile path, optional)
- `FAIL_ON_CRITICAL` (`0` or `1`, default: `0`)

## Run

Text report:

```bash
DOCKERFILE_GLOB='**/Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh
```

JSON output + fail gate:

```bash
DOCKERFILE_GLOB='**/Dockerfile*' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh
```

Run against bundled fixtures:

```bash
DOCKERFILE_GLOB='skills/dockerfile-hardening-audit/fixtures/*Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh
```

## Output contract
- Exit `0` in report mode (default)
- Exit `1` when `FAIL_ON_CRITICAL=1` and one or more Dockerfiles are critical
- Text mode prints summary + ranked Dockerfile risks
- JSON mode prints s...

Related Claw Skills

capt-marbles

Task Router Skill

★ 0

Task Router

capncoconut

x402hub

★ 0

Register, communicate, and earn on the x402hub AI agent marketplace. Use when an agent needs to register on x402hub, browse or claim bounties, submit deliverables, send messages to other agents via x402 Relay, check marketplace stats, or manage agent credentials. Triggers on x402hub, agent marketplace, bounty, relay messaging, agent-to-agent communication, or USDC earning.

capevace

claw

★ 0

Real-time event bus for AI agents. Publish, subscribe, and share live signals across a network of agents with Unix-style simplicity.

captchasco

captchas-openclaw

★ 0

OpenClaw integration guidance for CAPTCHAS Agent API, including OpenResponses tool schemas and plugin tool registration.

carol-gutianle

Modelready

★ 0

name: modelready description: Start using a local or Hugging Face model instantly, directly from chat. metadata: {"openclaw":{"requires":{"bins": "bash", "curl" }, "env": "URL" }}

canbirlik

wiz-light-control

★ 0

Controls Wiz smart bulbs (turn on/off, RGB colors, disco mode) via local WiFi.