← Back to Skills Marketplace
81
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install containerlint
Description
Docker & container security anti-pattern analyzer -- detects Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure n...
README (SKILL.md)
\r \r
ContainerLint -- Docker & Container Security Anti-Pattern Analyzer\r
\r ContainerLint scans codebases for Docker and container security anti-patterns, Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure networking, and orchestration misconfigurations. It uses regex-based pattern matching against 90 container-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
containerlint scan [file|directory]\r
One-shot container security scan of files or directories.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)\r
3. Runs 30 container security patterns against each file (free tier limit)\r
4. Calculates a container security score (0-100) per file and overall\r
5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (\x3C60)\r
6. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
7. Exit code 0 if score >= 70, exit code 1 if container security is poor\r
8. Free tier limited to first 30 patterns (DF + SC categories)\r
\r
**Example usage scenarios:**\r
- "Scan my code for Dockerfile issues" -> runs `containerlint scan .`\r
- "Check this file for container anti-patterns" -> runs `containerlint scan docker-compose.yml`\r
- "Find privileged containers" -> runs `containerlint scan .`\r
- "Audit container security in my project" -> runs `containerlint scan .`\r
- "Check for missing health checks" -> runs `containerlint scan .`\r
\r
### Pro Tier ($19/user/month -- requires CONTAINERLINT_LICENSE_KEY)\r
\r
#### `containerlint scan --tier pro [file|directory]`\r
Extended scan with 60 patterns covering Dockerfile, security context, health checks, and resource management.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs 60 container security patterns (DF, SC, HC, RS categories)\r
3. Detects missing health checks and readiness probes\r
4. Identifies resource limit gaps and unbounded containers\r
5. Full category breakdown reporting\r
\r
#### `containerlint scan --format json [directory]`\r
Generate JSON output for CI/CD integration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json\r
```\r
\r
#### `containerlint scan --format html [directory]`\r
Generate HTML report for browser viewing.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html\r
```\r
\r
#### `containerlint scan --category HC [directory]`\r
Filter scan to a specific check category (DF, SC, HC, RS, NW, OR).\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category HC\r
```\r
\r
### Team Tier ($39/user/month -- requires CONTAINERLINT_LICENSE_KEY with team tier)\r
\r
#### `containerlint scan --tier team [directory]`\r
Full scan with all 90 patterns across all 6 categories including networking and orchestration.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs all 90 patterns across 6 categories\r
3. Includes networking checks (host networking, exposed ports, insecure registries)\r
4. Includes orchestration checks (compose anti-patterns, missing restart policies)\r
5. Full category breakdown with per-file results\r
\r
#### `containerlint scan --verbose [directory]`\r
Verbose output showing every matched line and pattern details.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose\r
```\r
\r
#### `containerlint status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" status\r
```\r
\r
## Check Categories\r
\r
ContainerLint detects 90 container security anti-patterns across 6 categories:\r
\r
| Category | Code | Patterns | Description | Severity Range |\r
|----------|------|----------|-------------|----------------|\r
| **Dockerfile Best Practices** | DF | 15 | Missing USER directive, ADD instead of COPY, latest tag, missing .dockerignore patterns, multiple FROM without alias | medium -- high |\r
| **Security Context** | SC | 15 | Privileged mode, running as root, exposed secrets, capability escalation, no seccomp profile | high -- critical |\r
| **Health & Readiness** | HC | 15 | No HEALTHCHECK, missing readiness probes, no liveness checks, no startup probes | medium -- high |\r
| **Resource Management** | RS | 15 | No resource limits, no memory limits, no CPU limits, unbounded storage, no ephemeral storage limits | medium -- high |\r
| **Networking & Exposure** | NW | 15 | Exposing all ports, host networking, no network policy, publishing on 0.0.0.0, insecure registries | medium -- critical |\r
| **Orchestration & Compose** | OR | 15 | No restart policy, no replicas, hardcoded IPs in compose, no volume mounts for secrets, latest tag in compose | low -- high |\r
\r
## Tier-Based Pattern Access\r
\r
| Tier | Patterns | Categories |\r
|------|----------|------------|\r
| **Free** | 30 | DF, SC |\r
| **Pro** | 60 | DF, SC, HC, RS |\r
| **Team** | 90 | DF, SC, HC, RS, NW, OR |\r
| **Enterprise** | 90 | DF, SC, HC, RS, NW, OR + priority support |\r
\r
## Scoring\r
\r
ContainerLint uses a deductive scoring system starting at 100 (perfect):\r
\r
| Severity | Point Deduction | Description |\r
|----------|-----------------|-------------|\r
| **Critical** | -25 per finding | Severe security vulnerability (privileged mode, exposed secrets) |\r
| **High** | -15 per finding | Significant security problem (running as root, no resource limits) |\r
| **Medium** | -8 per finding | Moderate concern (latest tag, missing health check) |\r
| **Low** | -3 per finding | Informational / best practice suggestion |\r
\r
### Grading Scale\r
\r
| Grade | Score Range | Meaning |\r
|-------|-------------|---------|\r
| **A** | 90-100 | Excellent container security |\r
| **B** | 80-89 | Good security with minor issues |\r
| **C** | 70-79 | Acceptable but needs improvement |\r
| **D** | 60-69 | Poor container security |\r
| **F** | Below 60 | Critical security problems |\r
\r
- **Pass threshold:** 70 (Grade C or better)\r
- Exit code 0 = pass (score >= 70)\r
- Exit code 1 = fail (score \x3C 70)\r
\r
## Configuration\r
\r
Users can configure ContainerLint in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"containerlint": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY_HERE",\r
"config": {\r
"severityThreshold": "medium",\r
"ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],\r
"ignoreChecks": [],\r
"reportFormat": "text"\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies beyond bash\r
- Supports scanning all file types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)\r
- Output formats: text (default), json, html\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries hooks, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://containerlint.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no scannable files found in target, report clean scan with info message\r
- If an invalid category is specified with --category, show available categories\r
\r
## When to Use ContainerLint\r
\r
The user might say things like:\r
- "Scan my code for Dockerfile issues"\r
- "Check my container security"\r
- "Find privileged containers"\r
- "Detect missing health checks"\r
- "Are there any hardcoded secrets in my Docker files?"\r
- "Check for missing resource limits"\r
- "Audit my container security practices"\r
- "Find insecure Docker configurations"\r
- "Check for missing network policies"\r
- "Scan for container anti-patterns"\r
- "Run a container security audit"\r
- "Generate a container security report"\r
- "Check if my containers have proper resource limits"\r
- "Find containers running as root"\r
- "Check my docker-compose for anti-patterns"\r
Usage Guidance
This skill appears to do what it says: local regex-based scanning of Dockerfiles and compose for container anti-patterns, with an optional paid license to unlock additional patterns. Before installing: 1) Review the bundled scripts (already provided) to confirm you accept their behavior. 2) Be aware 'hooks install' will add/append lefthook.yml to your repository and run these scripts on pre-commit/pre-push — back up your existing lefthook.yml if you have one. 3) The license key is read from CONTAINERLINT_LICENSE_KEY or ~/.openclaw/openclaw.json; only provide a key you trust. 4) The license module can optionally verify JWT signatures using CLAWHUB_JWT_SECRET (not required); if you don't set that env var, signature verification is skipped. 5) Installing lefthook via brew (as suggested) is standard but verify you want that dependency. If you want extra caution, run the scanner manually (bash scripts/dispatcher.sh --path .) in a safe repo before enabling hooks or adding a license key.
Capability Analysis
Type: OpenClaw Skill
Name: containerlint
Version: 1.0.1
The skill is a container security linter that performs local analysis of Dockerfiles and orchestration configs. It is classified as suspicious due to a shell injection vulnerability in `scripts/license.sh`. The `extract_field` and `decode_jwt_payload` functions pass decoded JWT payload data directly into `python3` and `node` command-line strings without sanitization, which could allow arbitrary code execution if a user is provided with a specially crafted license key. While this appears to be an unintentional implementation flaw rather than intentional malice, it represents a high-risk vulnerability.
Capability Tags
Capability Assessment
Purpose & Capability
Name/description match the code: scripts perform local pattern-based scanning of Dockerfiles/compose/etc. Required binaries (git, bash, python3, jq) and the lefthook install are reasonable for file discovery, .gitignore checks, JSON parsing, and git-hook integration. Declaring a license key (CONTAINERLINT_LICENSE_KEY) as primary is consistent with the documented tiered feature gating.
Instruction Scope
Runtime instructions call the included dispatcher/analyzer/patterns scripts and perform local file scanning only. The skill reads ~/.openclaw/openclaw.json (if present) or the CONTAINERLINT_LICENSE_KEY env var to obtain a license; it uses local tools (python3/node/jq/openssl) to parse and optionally verify tokens. It also offers commands to install lefthook git hooks that will run pre-commit/pre-push and source the shipped scripts — this modifies repo-level lefthook.yml and will execute the skill code on commits/pushes, which is expected behavior but intrusive if unreviewed.
Install Mechanism
Install spec only asks to install the well-known 'lefthook' formula via brew. No arbitrary downloads or extract operations are present in the provided install metadata or code files. The scripts and config are bundled with the skill.
Credentials
Asking for a license key (CONTAINERLINT_LICENSE_KEY) is proportional to the tiered feature model. The license module optionally uses CLAWHUB_JWT_SECRET for signature verification and will try to read ~/.openclaw/openclaw.json to find a key; those behaviors are documented in the scripts but CLAWHUB_JWT_SECRET is not declared in requires.env. The scripts otherwise use common env vars (HOME, optional CONTAINERLINT_SKILL_DIR) and do not request unrelated credentials.
Persistence & Privilege
always:false and model invocation allowed by default. The notable persistent action is the optional lefthook/git-hook installation which writes or appends a lefthook.yml in a repository and causes the skill scripts to run on pre-commit/pre-push. This is a legitimate feature for a linter but is a persistence/privilege surface the user should review before enabling (it executes code from the skill on git operations).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install containerlint - After installation, invoke the skill by name or use
/containerlint - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Fix: declare all deps, JWT verification, configPaths
Metadata
Frequently Asked Questions
What is containerlint?
Docker & container security anti-pattern analyzer -- detects Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure n... It is an AI Agent Skill for Claude Code / OpenClaw, with 81 downloads so far.
How do I install containerlint?
Run "/install containerlint" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is containerlint free?
Yes, containerlint is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does containerlint support?
containerlint is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created containerlint?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.1.
More Skills