Docker Hardening

Professional Docker security configuration generator aligned with CIS Benchmark v1.8.0 standards.

Audits

Pass

ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install toolweb-docker-hardening

Overview

The Docker Security Hardening Tool is a professional-grade API for generating CIS Benchmark-compliant Docker security configurations. It automates the creation of hardened Docker deployment manifests, security policies, and configuration files that align with industry-standard security best practices (CIS Benchmark v1.8.0).

This tool is essential for DevOps engineers, security teams, and infrastructure architects who need to rapidly deploy secure Docker environments without manual configuration. It eliminates guesswork by providing validated, benchmark-aligned configurations that can be immediately deployed to production systems.

The API provides intelligent option discovery, flexible configuration generation, and audit-ready output suitable for compliance documentation and security reviews.

Usage

Example Request:

{
  "hardeningOptions": {
    "image_security": ["scan_images", "minimal_base"],
    "runtime_security": ["read_only_root", "no_privileged"],
    "network_security": ["restrict_ports", "user_namespaces"]
  },
  "sessionId": "sess_abc123def456",
  "userId": 12847,
  "timestamp": "2025-01-15T10:30:00Z"
}

Example Response:

{
  "status": "success",
  "configurationId": "config_xyz789",
  "generatedFiles": {
    "Dockerfile.hardened": "FROM alpine:3.18\nRUN addgroup -S appgroup && adduser -S appuser -G appgroup\nUSER appuser\nRUN chmod a-w /\nRUN chmod u+w /tmp /var/tmp\nENTRYPOINT [\"app\"]\n",
    "docker-compose.hardened.yml": "version: '3.8'\nservices:\n  app:\n    image: myapp:hardened\n    read_only: true\n    security_opt:\n      - no-new-privileges:true\n    cap_drop:\n      - ALL\n    cap_add:\n      - NET_BIND_SERVICE\n    networks:\n      - internal\nnetworks:\n  internal:\n    driver: bridge\n",
    "security_policy.json": "{\n  \"version\": \"1.0\",\n  \"benchmark\": \"CIS Docker Benchmark v1.8.0\",\n  \"policies\": [\n    {\"id\": \"4.1\", \"description\": \"Ensure AppArmor Profile is Enabled\", \"status\": \"applied\"},\n    {\"id\": \"4.5\", \"description\": \"Ensure default ulimit is set appropriately\", \"status\": \"applied\"}\n  ]\n}\n"
  },
  "appliedPolicies": [
    "4.1 - AppArmor enabled",
    "4.5 - Ulimit restrictions",
    "5.1 - Read-only root filesystem",
    "5.27 - User namespace enabled"
  ],
  "complianceScore": 94,
  "recommendations": [
    "Consider implementing runtime scanning with Falco for behavioral monitoring",
    "Enable image scanning in your container registry"
  ],
  "timestamp": "2025-01-15T10:30:15Z"
}

Endpoints

GET /

Description: Health check endpoint to verify API availability.

Parameters: None

Response:

200 OK - JSON object confirming service status

POST /api/docker/hardening/generate

Description: Generate Docker security hardening configuration files based on specified options.

Parameters:

Name	Type	Required	Description
hardeningOptions	object	Yes	Dictionary mapping security categories to option arrays. Keys represent security domains (e.g., "image_security", "runtime_security"), values are arrays of specific hardening techniques.
sessionId	string	Yes	Unique session identifier for tracking and audit purposes.
userId	integer or null	No	Optional user identifier for multi-tenant environments and usage tracking.
timestamp	string	Yes	ISO 8601 formatted timestamp of the request (e.g., "2025-01-15T10:30:00Z").

Response Shape:

{
  "status": "string",
  "configurationId": "string",
  "generatedFiles": {
    "Dockerfile.hardened": "string",
    "docker-compose.hardened.yml": "string",
    "security_policy.json": "string"
  },
  "appliedPolicies": ["string"],
  "complianceScore": "integer (0-100)",
  "recommendations": ["string"],
  "timestamp": "string"
}

GET /api/docker/hardening/options

Description: Retrieve all available hardening options with descriptions, categories, and CIS Benchmark references.

Parameters: None

Response Shape:

{
  "imageSecurityOptions": [
    {
      "id": "string",
      "name": "string",
      "description": "string",
      "cisBenchmarkId": "string"
    }
  ],
  "runtimeSecurityOptions": [...],
  "networkSecurityOptions": [...],
  "storageSecurityOptions": [...],
  "version": "string",
  "lastUpdated": "string"
}

Pricing

Plan	Calls/Day	Calls/Month	Price
Free	5	50	Free
Developer	20	500	$39/mo
Professional	200	5,000	$99/mo
Enterprise	100,000	1,000,000	$299/mo

About

ToolWeb.in - 200+ security APIs, CISSP & CISM, platforms: Pay-per-run, API Gateway, MCP Server, OpenClaw, RapidAPI, YouTube.

References

Kong Route: https://api.mkkpro.com/hardening/docker
API Docs: https://api.mkkpro.com:8136/docs