Docker Compose Linter

Enforce security, reliability, and deployment best practices for Docker Compose files.

Install
cmdop skills install agensi-docker-compose-linter

Docker Compose Linter is a skill that scans docker-compose.yml and compose.yaml files for misconfigurations that can lead to security vulnerabilities, performance bottlenecks, and deployment failures. It runs a 14-point quality gate that goes beyond basic YAML syntax validation.

On the security side, the skill detects hardcoded secrets, privileged mode usage, dangerous Linux capabilities, and exposed database ports. For reliability, it checks that healthchecks are defined, restart policies are set, and resource limits are present to prevent host exhaustion. Architecturally, it flags backend services that are not isolated to internal networks and images that use floating tags such as :latest rather than pinned versions. It also identifies deprecated version fields and recommends service_healthy dependency conditions in line with current Docker Compose standards.

The output is a categorized report using CRITICAL, WARNING, and PASS indicators. Each finding includes a line-specific location in the file and a clear remediation step, so the agent or developer can act on results without further investigation.

This skill is most useful when Compose files are part of a CI pipeline review, a pre-deployment gate, or an infrastructure-as-code audit workflow. It is not a runtime monitoring tool and does not interact with a running Docker daemon or deployed containers.

Use cases

  • Audit a docker-compose.yml before merging a pull request to catch security regressions
  • Detect hardcoded secrets or exposed database ports in a Compose file during CI
  • Verify that all services define healthchecks and restart policies before a production deployment
  • Check that image tags are pinned to specific versions rather than :latest across a multi-service stack
  • Flag deprecated version fields and missing service_healthy dependency conditions in legacy Compose files
  • Enforce resource limits on all services to prevent a single container from exhausting host resources

When to use it

  • Reviewing Compose files as part of a CI/CD pipeline quality gate
  • Performing an infrastructure-as-code security audit on Docker-based projects
  • Onboarding a new Compose file from an external contributor or third-party vendor
  • Migrating a legacy Compose file to modern standards

When not to use it

  • Monitoring or inspecting containers that are already running — the skill only analyzes static Compose files
  • Validating Kubernetes manifests, Helm charts, or other non-Compose container orchestration formats
  • Enforcing runtime security policies on a live Docker host
  • Projects not using Docker Compose at all