Dockerfile Hardening Audit

Use this skill to statically audit Dockerfiles before insecure container defaults land in production.

What this skill does

• Scans Dockerfiles and scores hardening risk per file
• Flags missing non-root USER declarations
• Flags base images using floating tags (:latest, :main, :master, :edge) or no tag/digest
• Flags missing HEALTHCHECK
• Flags ADD instructions (when COPY is safer/clearer)
• Flags curl|bash/wget|sh style remote script execution
• Supports include/exclude regex filters and fail-gate mode

Inputs

Optional:

• DOCKERFILE_GLOB (default: */Dockerfile)
• TOP_N (default: 20)
• OUTPUT_FORMAT (text or json, default: text)
• WARN_SCORE (default: 3)
• CRITICAL_SCORE (default: 6)
• REQUIRE_NON_ROOT_USER (0/1, default: 1)
• REQUIRE_HEALTHCHECK (0/1, default: 1)
• FLAG_FLOATING_TAGS (0/1, default: 1)
• FLAG_UNPINNED_IMAGES (0/1, default: 1)
• FLAG_ADD_INSTRUCTIONS (0/1, default: 1)
• FLAG_REMOTE_SCRIPT_PIPE (0/1, default: 1)
• FILE_MATCH (regex include filter on Dockerfile path, optional)
• FILE_EXCLUDE (regex exclude filter on Dockerfile path, optional)
• FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

DOCKERFILE_GLOB='**/Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

JSON output + fail gate:

DOCKERFILE_GLOB='**/Dockerfile*' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Run against bundled fixtures:

DOCKERFILE_GLOB='skills/dockerfile-hardening-audit/fixtures/*Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Output contract

• Exit 0 in report mode (default)
• Exit 1 when FAIL_ON_CRITICAL=1 and one or more Dockerfiles are critical
• Text mode prints summary + ranked Dockerfile risks
• JSON mode prints summary + ranked Dockerfiles + critical Dockerfiles