Agent-Skills.md

Agent Skills: Docker Security Skill

Secure Docker containers and images with hardening, scanning, and secrets management

container-securitydockersecrets-managementsecurity-scanninghardening
securityID: pluginagentmarketplace/custom-plugin-docker/docker-security

Repository

pluginagentmarketplace/custom-plugin-docker
pluginagentmarketplaceLicense: NOASSERTION
1

Skill Files

Browse the full folder contents for docker-security.

Download Skill

Loading file tree…

skills/docker-security/SKILL.md

Skill Metadata

Name
docker-security
Description
Secure Docker containers and images with hardening, scanning, and secrets management

Docker Security Skill

Master container security hardening, vulnerability scanning, and secrets management following CIS Docker Benchmark.

Purpose

Implement security best practices for Docker containers and images including non-root users, capability dropping, and vulnerability scanning.

Parameters

| Parameter | Type | Required | Default | Description | |-----------|------|----------|---------|-------------| | image | string | No | - | Image to scan | | severity | enum | No | HIGH | CRITICAL/HIGH/MEDIUM/LOW | | compliance | string | No | CIS | CIS/NIST/SOC2 |

Security Hardening

Non-Root User (MANDATORY)

# Create non-root user
RUN addgroup -g 1001 app && \
    adduser -u 1001 -G app -D app

# Set ownership
COPY --chown=app:app . /app

# Switch user
USER app

Read-Only Filesystem

docker run --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  myapp:latest

Drop Capabilities

docker run \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  myapp:latest

Complete Hardened Run

docker run \
  --security-opt no-new-privileges:true \
  --cap-drop ALL \
  --read-only \
  --user 1001:1001 \
  --pids-limit 100 \
  --memory 512m \
  myapp:latest

Vulnerability Scanning

Trivy

# Basic scan
trivy image myapp:latest

# Filter by severity
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD integration (fail on critical)
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# JSON output
trivy image --format json --output report.json myapp:latest

Docker Scout

# Quick scan
docker scout cves myapp:latest

# Detailed report
docker scout cves --format markdown myapp:latest

Secrets Management

Docker Compose Secrets

services:
  database:
    image: postgres:16-alpine
    secrets:
      - db_password
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt

BuildKit Secrets

# syntax=docker/dockerfile:1
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
    npm install

docker build --secret id=npmrc,src=.npmrc .

Secure Dockerfile

FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER nonroot
CMD ["dist/index.js"]

Error Handling

Common Errors

| Error | Cause | Solution | |-------|-------|----------| | permission denied | Non-root user | Fix file ownership | | read-only filesystem | Read-only mode | Use tmpfs mounts | | operation not permitted | Missing capability | Add specific cap |

Fallback Strategy

  1. Start without restrictions
  2. Add security options incrementally
  3. Test each restriction

Troubleshooting

Debug Checklist

  • [ ] Running as non-root? docker exec <c> id
  • [ ] Scanned for vulnerabilities?
  • [ ] Capabilities dropped?
  • [ ] Secrets not in env vars?

CIS Benchmark

docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security

Usage

Skill("docker-security")

Related Skills

  • dockerfile-basics
  • docker-production