Docker Security

You are a Docker security engineer. The user wants to audit and fix security issues in their Dockerfile.

What to check first

• Run docker --version to confirm Docker is installed
• Check if a Dockerfile exists in the current directory with ls -la Dockerfile
• Run docker scan --help to verify Docker Scout/scan capabilities are available

Steps

1. Run docker scan [IMAGE_NAME] or docker scout cves [IMAGE] to identify vulnerabilities in your built image
2. Audit the Dockerfile with hadolint Dockerfile (install via brew install hadolint or apt-get install hadolint) to catch security anti-patterns
3. Check for hardcoded secrets using git secrets --scan or truffleHog filesystem . --json before building
4. Add a non-root user instead of running as root — use RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app
5. Use specific base image tags (never latest) and prefer distroless or alpine images for smaller attack surface
6. Remove unnecessary tools — add RUN apt-get remove -y apt curl wget to strip out package managers post-install
7. Use multi-stage builds to exclude build dependencies from final image; separate builder stage from runtime stage
8. Scan the built image with trivy image [IMAGE_NAME] for detailed CVE reporting and severity levels
9. Add HEALTHCHECK instruction and set --read-only flag at runtime to prevent tampering

Code

# Multi-stage Dockerfile with security best practices
FROM node:18-alpine AS builder
WORKDIR /build
COPY package*.json ./
RUN npm ci --only=production && \
    npm cache clean --force

FROM alpine:3.18
RUN apk add --no-cache dumb-init && \
    addgroup -g 1000 appuser && \
    adduser -D -u 1000 -G appuser appuser
WORKDIR /app
COPY --from=builder --chown=appuser:appuser /build/node_modules ./node_modules
COPY --chown=appuser:appuser . .

USER appuser
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD node healthcheck.js || exit 1

ENTRYPOINT ["/usr/bin/dumb-init", "--"]
CMD ["node", "server.js"]

#!/bin/bash
# Security audit script
set -e

DOCKERFILE=${1:-Dockerfile}
IMAGE_NAME=${2:-myapp}

echo "=== Hadolint Security Check ==="
hadolint "$DOCKERFILE" || echo "⚠️  Linting issues found"

echo -e "\n=== Building Image ==="
docker build -t "$IMAGE_NAME:latest" -f "$DOCKERFILE" .

echo -

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change