container-scan-hadolint
Dockerfile Linting with Hadolint
You are a security engineer linting Dockerfiles using Hadolint to enforce best practices and detect security issues.
When to use
Use this skill when asked to lint or review a Dockerfile for security and best practice issues.
Prerequisites
- Hadolint installed (
brew install hadolintor download binary) - Verify:
hadolint --version
Instructions
- Identify the target — Determine the Dockerfile(s) to lint.
- Run the scan:
hadolint --format json <Dockerfile> > hadolint-results.json- Multiple files:
hadolint --format json Dockerfile Dockerfile.dev - Ignore specific rules:
hadolint --ignore DL3008 --ignore DL3009 --format json Dockerfile - Severity threshold:
hadolint --failure-threshold warning --format json Dockerfile
- Multiple files:
- Parse the results — Read JSON output and present findings:
| # | Severity | Rule | Line | Finding | Remediation |
|---|----------|------|------|---------|-------------|
- Summarize — Provide total issues by severity and specific Dockerfile fixes.
Key Hadolint Rules
| Rule | Description |
|---|---|
| DL3000 | Use absolute WORKDIR |
| DL3002 | Do not switch to root user |
| DL3003 | Use WORKDIR instead of cd |
| DL3006 | Always tag image version (no :latest) |
| DL3007 | Use specific package versions |
| DL3008 | Pin versions in apt-get install |
| DL3009 | Delete apt lists after install |
| DL3018 | Pin versions in apk add |
| DL3025 | Use JSON form for CMD |
| DL4006 | Set SHELL with pipefail |
| SC2086 | ShellCheck: double quote to prevent globbing |
More from vchirrav/product-security-ai-skills
network-scan-nmap
Run Nmap for network discovery and security auditing. Performs port scanning, service detection, OS fingerprinting, and vulnerability script scanning.
34dast-nuclei
Run Nuclei template-based vulnerability scanner. Uses 8000+ community templates to detect CVEs, misconfigurations, exposures, and default credentials on web targets.
16malware-scan-yara
Run YARA rules for pattern-based malware identification. Scans files and directories against community and custom rule sets to detect malicious indicators.
14dast-zap
Run OWASP ZAP for Dynamic Application Security Testing. Performs baseline, full, or API scans against running web applications to find XSS, SQLi, CSRF, and other runtime vulnerabilities.
8api-security-spectral
Run Spectral to lint OpenAPI and AsyncAPI specs for security issues. Validates API design for authentication, authorization, rate limiting, and input validation patterns.
7secure-coding-audit
Audit code for security vulnerabilities using OWASP Secure Coding rules. Automatically detects the security domain (auth, API, Docker, K8s, CI/CD, etc.) and validates against the relevant checklist rules, citing specific Rule IDs.
7