Skills
skills/pluginagentmarketplace/custom-plugin-docker/docker-security

docker-security

Installation
SKILL.md

Docker Security Skill

Master container security hardening, vulnerability scanning, and secrets management following CIS Docker Benchmark.

Purpose

Implement security best practices for Docker containers and images including non-root users, capability dropping, and vulnerability scanning.

Parameters

Parameter Type Required Default Description
image string No - Image to scan
severity enum No HIGH CRITICAL/HIGH/MEDIUM/LOW
compliance string No CIS CIS/NIST/SOC2

Security Hardening

Non-Root User (MANDATORY)

# Create non-root user
RUN addgroup -g 1001 app && \
    adduser -u 1001 -G app -D app

# Set ownership
COPY --chown=app:app . /app

# Switch user
USER app

Read-Only Filesystem

docker run --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  myapp:latest

Drop Capabilities

docker run \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  myapp:latest

Complete Hardened Run

docker run \
  --security-opt no-new-privileges:true \
  --cap-drop ALL \
  --read-only \
  --user 1001:1001 \
  --pids-limit 100 \
  --memory 512m \
  myapp:latest

Vulnerability Scanning

Trivy

# Basic scan
trivy image myapp:latest

# Filter by severity
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD integration (fail on critical)
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# JSON output
trivy image --format json --output report.json myapp:latest

Docker Scout

# Quick scan
docker scout cves myapp:latest

# Detailed report
docker scout cves --format markdown myapp:latest

Secrets Management

Docker Compose Secrets

services:
  database:
    image: postgres:16-alpine
    secrets:
      - db_password
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt

BuildKit Secrets

# syntax=docker/dockerfile:1
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
    npm install

docker build --secret id=npmrc,src=.npmrc .

Secure Dockerfile

FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER nonroot
CMD ["dist/index.js"]

Error Handling

Common Errors

Error Cause Solution
permission denied Non-root user Fix file ownership
read-only filesystem Read-only mode Use tmpfs mounts
operation not permitted Missing capability Add specific cap

Fallback Strategy

  1. Start without restrictions
  2. Add security options incrementally
  3. Test each restriction

Troubleshooting

Debug Checklist

  • Running as non-root? docker exec <c> id
  • Scanned for vulnerabilities?
  • Capabilities dropped?
  • Secrets not in env vars?

CIS Benchmark

docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security

Usage

Skill("docker-security")

Related Skills

  • dockerfile-basics
  • docker-production
Weekly Installs
19
Repository
pluginagentmark…n-docker
GitHub Stars
1
First Seen
Feb 16, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykFail