← Back to Skills Marketplace
daniellummis

Dockerfile Hardening Audit

by Daniel Lummis · GitHub ↗ · v1.0.0
cross-platform ✓ Security Clean
266
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install dockerfile-hardening-audit
Description
Statically audit Dockerfiles for common container hardening risks (root user, unpinned/latest base images, missing healthchecks, and risky build patterns).
README (SKILL.md)

Dockerfile Hardening Audit

Use this skill to statically audit Dockerfiles before insecure container defaults land in production.

What this skill does

  • Scans Dockerfiles and scores hardening risk per file
  • Flags missing non-root USER declarations
  • Flags base images using floating tags (:latest, :main, :master, :edge) or no tag/digest
  • Flags missing HEALTHCHECK
  • Flags ADD instructions (when COPY is safer/clearer)
  • Flags curl|bash/wget|sh style remote script execution
  • Supports include/exclude regex filters and fail-gate mode

Inputs

Optional:

  • DOCKERFILE_GLOB (default: **/Dockerfile*)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • WARN_SCORE (default: 3)
  • CRITICAL_SCORE (default: 6)
  • REQUIRE_NON_ROOT_USER (0/1, default: 1)
  • REQUIRE_HEALTHCHECK (0/1, default: 1)
  • FLAG_FLOATING_TAGS (0/1, default: 1)
  • FLAG_UNPINNED_IMAGES (0/1, default: 1)
  • FLAG_ADD_INSTRUCTIONS (0/1, default: 1)
  • FLAG_REMOTE_SCRIPT_PIPE (0/1, default: 1)
  • FILE_MATCH (regex include filter on Dockerfile path, optional)
  • FILE_EXCLUDE (regex exclude filter on Dockerfile path, optional)
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

DOCKERFILE_GLOB='**/Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

JSON output + fail gate:

DOCKERFILE_GLOB='**/Dockerfile*' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Run against bundled fixtures:

DOCKERFILE_GLOB='skills/dockerfile-hardening-audit/fixtures/*Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Output contract

  • Exit 0 in report mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more Dockerfiles are critical
  • Text mode prints summary + ranked Dockerfile risks
  • JSON mode prints summary + ranked Dockerfiles + critical Dockerfiles
Usage Guidance
This skill appears coherent and low-risk for its stated purpose. Before running: (1) review/limit DOCKERFILE_GLOB (or set FILE_MATCH/FILE_EXCLUDE) so you only scan intended repositories/paths, (2) remember it is a static scanner — it looks for text patterns and can produce false positives/negatives (especially for complex multi-stage FROM lines or obfuscated remote fetches), and (3) you can safely inspect the bundled script (skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh) yourself to confirm no unexpected behavior. No network calls or secret exfiltration were found.
Capability Analysis
Type: OpenClaw Skill Name: dockerfile-hardening-audit Version: 1.0.0 The skill is a legitimate static analysis tool designed to audit Dockerfiles for security hardening risks such as root user usage, unpinned base images, and risky build patterns. The core logic is contained in a Python script within `scripts/dockerfile-hardening-audit.sh` that parses file contents using regular expressions and generates a risk score. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Capability Assessment
Purpose & Capability
The name/description (Dockerfile hardening audit) matches the included script and SKILL.md. The required binaries (bash, python3) are exactly what's needed to run the provided shell+Python script. No unrelated credentials, config paths, or binaries are requested.
Instruction Scope
The SKILL.md instructs the agent to run the bundled script which performs static text analysis of Dockerfile paths matched by DOCKERFILE_GLOB. The script reads files from disk only (no network calls), uses regex checks to flag patterns (user, FROM tags, HEALTHCHECK, ADD, remote script pipes), and does not execute code from the Dockerfiles. Inputs are explicit and limited to the documented env-vars.
Install Mechanism
There is no install spec or remote download; the script is bundled in the skill. This is low risk because nothing is fetched from external URLs or written to unusual locations during install.
Credentials
No secrets or external service credentials are requested. The skill accepts a number of optional environment flags to control scanning behavior (glob, thresholds, toggles) which are proportionate to the task.
Persistence & Privilege
always is false and the skill does not modify agent/system configuration or other skills. It runs on-demand and does not require persistent presence or elevated privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install dockerfile-hardening-audit
  3. After installation, invoke the skill by name or use /dockerfile-hardening-audit
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: static Dockerfile hardening risk audit with text/json output, regex filters, and fail gate.
Metadata
Slug dockerfile-hardening-audit
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Dockerfile Hardening Audit?

Statically audit Dockerfiles for common container hardening risks (root user, unpinned/latest base images, missing healthchecks, and risky build patterns). It is an AI Agent Skill for Claude Code / OpenClaw, with 266 downloads so far.

How do I install Dockerfile Hardening Audit?

Run "/install dockerfile-hardening-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Dockerfile Hardening Audit free?

Yes, Dockerfile Hardening Audit is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Dockerfile Hardening Audit support?

Dockerfile Hardening Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Dockerfile Hardening Audit?

It is built and maintained by Daniel Lummis (@daniellummis); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments