ClawHub

Dockerfile Hardening Audit

v1.0.0

Statically audit Dockerfiles for common container hardening risks (root user, unpinned/latest base images, missing healthchecks, and risky build patterns).

0· 264·0 current·0 all-time
byDaniel Lummis@daniellummis

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for daniellummis/dockerfile-hardening-audit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Dockerfile Hardening Audit" (daniellummis/dockerfile-hardening-audit) from ClawHub.
Skill page: https://clawhub.ai/daniellummis/dockerfile-hardening-audit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bash, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install daniellummis/dockerfile-hardening-audit

ClawHub CLI

Package manager switcher

npx clawhub@latest install dockerfile-hardening-audit
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Dockerfile hardening audit) matches the included script and SKILL.md. The required binaries (bash, python3) are exactly what's needed to run the provided shell+Python script. No unrelated credentials, config paths, or binaries are requested.
Instruction Scope
The SKILL.md instructs the agent to run the bundled script which performs static text analysis of Dockerfile paths matched by DOCKERFILE_GLOB. The script reads files from disk only (no network calls), uses regex checks to flag patterns (user, FROM tags, HEALTHCHECK, ADD, remote script pipes), and does not execute code from the Dockerfiles. Inputs are explicit and limited to the documented env-vars.
Install Mechanism
There is no install spec or remote download; the script is bundled in the skill. This is low risk because nothing is fetched from external URLs or written to unusual locations during install.
Credentials
No secrets or external service credentials are requested. The skill accepts a number of optional environment flags to control scanning behavior (glob, thresholds, toggles) which are proportionate to the task.
Persistence & Privilege
always is false and the skill does not modify agent/system configuration or other skills. It runs on-demand and does not require persistent presence or elevated privileges.
Assessment
This skill appears coherent and low-risk for its stated purpose. Before running: (1) review/limit DOCKERFILE_GLOB (or set FILE_MATCH/FILE_EXCLUDE) so you only scan intended repositories/paths, (2) remember it is a static scanner — it looks for text patterns and can produce false positives/negatives (especially for complex multi-stage FROM lines or obfuscated remote fetches), and (3) you can safely inspect the bundled script (skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh) yourself to confirm no unexpected behavior. No network calls or secret exfiltration were found.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbash, python3
latestvk97c8hf4yewmehdp2vshjf95kn82gq1w
264downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Daniel Lummis@daniellummis
latest
Download

Dockerfile Hardening Audit

Use this skill to statically audit Dockerfiles before insecure container defaults land in production.

What this skill does

  • Scans Dockerfiles and scores hardening risk per file
  • Flags missing non-root USER declarations
  • Flags base images using floating tags (:latest, :main, :master, :edge) or no tag/digest
  • Flags missing HEALTHCHECK
  • Flags ADD instructions (when COPY is safer/clearer)
  • Flags curl|bash/wget|sh style remote script execution
  • Supports include/exclude regex filters and fail-gate mode

Inputs

Optional:

  • DOCKERFILE_GLOB (default: **/Dockerfile*)
  • TOP_N (default: 20)
  • OUTPUT_FORMAT (text or json, default: text)
  • WARN_SCORE (default: 3)
  • CRITICAL_SCORE (default: 6)
  • REQUIRE_NON_ROOT_USER (0/1, default: 1)
  • REQUIRE_HEALTHCHECK (0/1, default: 1)
  • FLAG_FLOATING_TAGS (0/1, default: 1)
  • FLAG_UNPINNED_IMAGES (0/1, default: 1)
  • FLAG_ADD_INSTRUCTIONS (0/1, default: 1)
  • FLAG_REMOTE_SCRIPT_PIPE (0/1, default: 1)
  • FILE_MATCH (regex include filter on Dockerfile path, optional)
  • FILE_EXCLUDE (regex exclude filter on Dockerfile path, optional)
  • FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

DOCKERFILE_GLOB='**/Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

JSON output + fail gate:

DOCKERFILE_GLOB='**/Dockerfile*' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Run against bundled fixtures:

DOCKERFILE_GLOB='skills/dockerfile-hardening-audit/fixtures/*Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Output contract

  • Exit 0 in report mode (default)
  • Exit 1 when FAIL_ON_CRITICAL=1 and one or more Dockerfiles are critical
  • Text mode prints summary + ranked Dockerfile risks
  • JSON mode prints summary + ranked Dockerfiles + critical Dockerfiles

Comments

Loading comments...