Dockerfile Hardener

A security auditor that identifies Docker vulnerabilities, scores configurations, and generates hardened replacements.

Install
cmdop skills install agensi-dockerfile-hardener

Dockerfile Hardener is a skill that performs security audits on Dockerfile configurations, scanning for vulnerabilities, anti-patterns, and compliance issues across image selection, layer structure, secret handling, and runtime hardening parameters.

When an agent runs this skill against a Dockerfile, it produces a Security Audit Report listing findings from CRITICAL to LOW severity, each with line numbers and specific remediation steps. The skill also assigns a Hardening Score — a letter grade from A to F derived from a 100-point assessment — so the severity of the overall configuration is immediately clear. Beyond reporting, it outputs a fully refactored Dockerfile that applies multi-stage builds, non-root user settings, and BuildKit optimizations. Ready-to-use CI/CD configuration snippets for GitHub Actions and GitLab CI are also generated.

The skill follows OCI standards and works with standard Dockerfiles and OCI-compliant images. It integrates with linters such as Hadolint and covers ecosystems including Node.js, Python, Go, and Java using Alpine, Distroless, and Debian-slim base images.

This skill is appropriate when Dockerfile security review is part of a development or deployment workflow and the goal is to catch issues like unpinned dependencies, SUID binaries, or cache-busting anti-patterns that generic prompting tends to miss. It is not a runtime container scanner and does not inspect running containers or image layers already built and deployed.

Use cases

  • Audit a Dockerfile before merging a pull request to catch CRITICAL and HIGH severity findings
  • Generate a hardened, production-ready replacement Dockerfile using multi-stage builds and non-root users
  • Score an existing Dockerfile on a 100-point scale to prioritize remediation work
  • Obtain ready-to-paste GitHub Actions or GitLab CI snippets for container security checks
  • Identify unpinned base image dependencies or improperly handled build secrets in a Dockerfile
  • Evaluate Alpine, Distroless, or Debian-slim base image choices for Node.js, Python, Go, or Java projects

When to use it

  • Dockerfile security review is required before production deployment
  • A team needs a scored, line-by-line audit report rather than generic linting output
  • The goal is to produce a refactored Dockerfile automatically rather than manually apply fixes
  • CI/CD pipeline hardening snippets for GitHub Actions or GitLab CI are needed alongside the audit

When not to use it

  • The task requires scanning already-built and running containers rather than Dockerfile source
  • Image vulnerability scanning against a CVE database is needed — this skill audits configuration, not CVEs
  • Non-Docker container formats outside OCI standards are in use
  • The workflow requires integration with container registries or orchestration platforms like Kubernetes