← 返回 Skills 市场

Dockerfile Hardening Audit

Name: Dockerfile Hardening Audit
Author: daniellummis

作者 Daniel Lummis · GitHub ↗ · v1.0.0

cross-platform ✓ 安全检测通过

266

总下载

当前安装

版本数

在 OpenClaw 中安装

/install dockerfile-hardening-audit

功能描述

Statically audit Dockerfiles for common container hardening risks (root user, unpinned/latest base images, missing healthchecks, and risky build patterns).

使用说明 (SKILL.md)

Dockerfile Hardening Audit

Use this skill to statically audit Dockerfiles before insecure container defaults land in production.

What this skill does

Scans Dockerfiles and scores hardening risk per file
Flags missing non-root USER declarations
Flags base images using floating tags (:latest, :main, :master, :edge) or no tag/digest
Flags missing HEALTHCHECK
Flags ADD instructions (when COPY is safer/clearer)
Flags curl|bash/wget|sh style remote script execution
Supports include/exclude regex filters and fail-gate mode

Inputs

Optional:

DOCKERFILE_GLOB (default: **/Dockerfile*)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
WARN_SCORE (default: 3)
CRITICAL_SCORE (default: 6)
REQUIRE_NON_ROOT_USER (0/1, default: 1)
REQUIRE_HEALTHCHECK (0/1, default: 1)
FLAG_FLOATING_TAGS (0/1, default: 1)
FLAG_UNPINNED_IMAGES (0/1, default: 1)
FLAG_ADD_INSTRUCTIONS (0/1, default: 1)
FLAG_REMOTE_SCRIPT_PIPE (0/1, default: 1)
FILE_MATCH (regex include filter on Dockerfile path, optional)
FILE_EXCLUDE (regex exclude filter on Dockerfile path, optional)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

DOCKERFILE_GLOB='**/Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

JSON output + fail gate:

DOCKERFILE_GLOB='**/Dockerfile*' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Run against bundled fixtures:

DOCKERFILE_GLOB='skills/dockerfile-hardening-audit/fixtures/*Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Output contract

Exit 0 in report mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more Dockerfiles are critical
Text mode prints summary + ranked Dockerfile risks
JSON mode prints summary + ranked Dockerfiles + critical Dockerfiles

安全使用建议

This skill appears coherent and low-risk for its stated purpose. Before running: (1) review/limit DOCKERFILE_GLOB (or set FILE_MATCH/FILE_EXCLUDE) so you only scan intended repositories/paths, (2) remember it is a static scanner — it looks for text patterns and can produce false positives/negatives (especially for complex multi-stage FROM lines or obfuscated remote fetches), and (3) you can safely inspect the bundled script (skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh) yourself to confirm no unexpected behavior. No network calls or secret exfiltration were found.

功能分析

Type: OpenClaw Skill Name: dockerfile-hardening-audit Version: 1.0.0 The skill is a legitimate static analysis tool designed to audit Dockerfiles for security hardening risks such as root user usage, unpinned base images, and risky build patterns. The core logic is contained in a Python script within `scripts/dockerfile-hardening-audit.sh` that parses file contents using regular expressions and generates a risk score. No evidence of data exfiltration, malicious execution, or prompt injection was found.

能力评估

✓ Purpose & Capability

The name/description (Dockerfile hardening audit) matches the included script and SKILL.md. The required binaries (bash, python3) are exactly what's needed to run the provided shell+Python script. No unrelated credentials, config paths, or binaries are requested.

✓ Instruction Scope

The SKILL.md instructs the agent to run the bundled script which performs static text analysis of Dockerfile paths matched by DOCKERFILE_GLOB. The script reads files from disk only (no network calls), uses regex checks to flag patterns (user, FROM tags, HEALTHCHECK, ADD, remote script pipes), and does not execute code from the Dockerfiles. Inputs are explicit and limited to the documented env-vars.

✓ Install Mechanism

There is no install spec or remote download; the script is bundled in the skill. This is low risk because nothing is fetched from external URLs or written to unusual locations during install.

✓ Credentials

No secrets or external service credentials are requested. The skill accepts a number of optional environment flags to control scanning behavior (glob, thresholds, toggles) which are proportionate to the task.

✓ Persistence & Privilege

always is false and the skill does not modify agent/system configuration or other skills. It runs on-demand and does not require persistent presence or elevated privileges.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install dockerfile-hardening-audit
安装完成后，直接呼叫该 Skill 的名称或使用 /dockerfile-hardening-audit 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: static Dockerfile hardening risk audit with text/json output, regex filters, and fail gate.

元数据

Slug dockerfile-hardening-audit

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题