containerlint

v1.0.1

Docker & container security anti-pattern analyzer -- detects Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure n...

⭐ 0· 77·0 current·0 all-time

by@suhteevah

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/containerlint.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "containerlint" (suhteevah/containerlint) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/containerlint
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install containerlint

ClawHub CLI

Package manager switcher

npx clawhub@latest install containerlint

Security Scan

Capability signals

CryptoRequires walletRequires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the code: scripts perform local pattern-based scanning of Dockerfiles/compose/etc. Required binaries (git, bash, python3, jq) and the lefthook install are reasonable for file discovery, .gitignore checks, JSON parsing, and git-hook integration. Declaring a license key (CONTAINERLINT_LICENSE_KEY) as primary is consistent with the documented tiered feature gating.

ℹ

Instruction Scope

Runtime instructions call the included dispatcher/analyzer/patterns scripts and perform local file scanning only. The skill reads ~/.openclaw/openclaw.json (if present) or the CONTAINERLINT_LICENSE_KEY env var to obtain a license; it uses local tools (python3/node/jq/openssl) to parse and optionally verify tokens. It also offers commands to install lefthook git hooks that will run pre-commit/pre-push and source the shipped scripts — this modifies repo-level lefthook.yml and will execute the skill code on commits/pushes, which is expected behavior but intrusive if unreviewed.

✓

Install Mechanism

Install spec only asks to install the well-known 'lefthook' formula via brew. No arbitrary downloads or extract operations are present in the provided install metadata or code files. The scripts and config are bundled with the skill.

ℹ

Credentials

Asking for a license key (CONTAINERLINT_LICENSE_KEY) is proportional to the tiered feature model. The license module optionally uses CLAWHUB_JWT_SECRET for signature verification and will try to read ~/.openclaw/openclaw.json to find a key; those behaviors are documented in the scripts but CLAWHUB_JWT_SECRET is not declared in requires.env. The scripts otherwise use common env vars (HOME, optional CONTAINERLINT_SKILL_DIR) and do not request unrelated credentials.

ℹ

Persistence & Privilege

always:false and model invocation allowed by default. The notable persistent action is the optional lefthook/git-hook installation which writes or appends a lefthook.yml in a repository and causes the skill scripts to run on pre-commit/pre-push. This is a legitimate feature for a linter but is a persistence/privilege surface the user should review before enabling (it executes code from the skill on git operations).

Assessment

This skill appears to do what it says: local regex-based scanning of Dockerfiles and compose for container anti-patterns, with an optional paid license to unlock additional patterns. Before installing: 1) Review the bundled scripts (already provided) to confirm you accept their behavior. 2) Be aware 'hooks install' will add/append lefthook.yml to your repository and run these scripts on pre-commit/pre-push — back up your existing lefthook.yml if you have one. 3) The license key is read from CONTAINERLINT_LICENSE_KEY or ~/.openclaw/openclaw.json; only provide a key you trust. 4) The license module can optionally verify JWT signatures using CLAWHUB_JWT_SECRET (not required); if you don't set that env var, signature verification is skipped. 5) Installing lefthook via brew (as suggested) is standard but verify you want that dependency. If you want extra caution, run the scanner manually (bash scripts/dispatcher.sh --path .) in a safe repo before enabling hooks or adding a license key.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐳 Clawdis

OSmacOS · Linux · Windows

Binsgit, bash, python3, jq

Primary envCONTAINERLINT_LICENSE_KEY

Install

Install lefthook (git hooks manager)

Bins: lefthook

brew install lefthook

latestvk9749ryvpzd0j30sv5khjvzaqx84vdzm

77downloads

0stars

1versions

Updated 1w ago

v1.0.1

MIT-0

macOS, Linux, Windows

ContainerLint -- Docker & Container Security Anti-Pattern Analyzer

ContainerLint scans codebases for Docker and container security anti-patterns, Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure networking, and orchestration misconfigurations. It uses regex-based pattern matching against 90 container-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Commands

Free Tier (No license required)

`containerlint scan [file|directory]`

One-shot container security scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

Accepts a file path or directory (defaults to current directory)
Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
Runs 30 container security patterns against each file (free tier limit)
Calculates a container security score (0-100) per file and overall
Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
Outputs findings with: file, line number, check ID, severity, description, recommendation
Exit code 0 if score >= 70, exit code 1 if container security is poor
Free tier limited to first 30 patterns (DF + SC categories)

Example usage scenarios:

"Scan my code for Dockerfile issues" -> runs containerlint scan .
"Check this file for container anti-patterns" -> runs containerlint scan docker-compose.yml
"Find privileged containers" -> runs containerlint scan .
"Audit container security in my project" -> runs containerlint scan .
"Check for missing health checks" -> runs containerlint scan .

Pro Tier ($19/user/month -- requires CONTAINERLINT_LICENSE_KEY)

`containerlint scan --tier pro [file|directory]`

Extended scan with 60 patterns covering Dockerfile, security context, health checks, and resource management.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

Validates Pro+ license
Runs 60 container security patterns (DF, SC, HC, RS categories)
Detects missing health checks and readiness probes
Identifies resource limit gaps and unbounded containers
Full category breakdown reporting

`containerlint scan --format json [directory]`

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

`containerlint scan --format html [directory]`

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

`containerlint scan --category HC [directory]`

Filter scan to a specific check category (DF, SC, HC, RS, NW, OR).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category HC

Team Tier ($39/user/month -- requires CONTAINERLINT_LICENSE_KEY with team tier)

`containerlint scan --tier team [directory]`

Full scan with all 90 patterns across all 6 categories including networking and orchestration.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

Validates Team+ license
Runs all 90 patterns across 6 categories
Includes networking checks (host networking, exposed ports, insecure registries)
Includes orchestration checks (compose anti-patterns, missing restart policies)
Full category breakdown with per-file results

`containerlint scan --verbose [directory]`

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

`containerlint status`

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

Check Categories

ContainerLint detects 90 container security anti-patterns across 6 categories:

Category	Code	Patterns	Description	Severity Range
Dockerfile Best Practices	DF	15	Missing USER directive, ADD instead of COPY, latest tag, missing .dockerignore patterns, multiple FROM without alias	medium -- high
Security Context	SC	15	Privileged mode, running as root, exposed secrets, capability escalation, no seccomp profile	high -- critical
Health & Readiness	HC	15	No HEALTHCHECK, missing readiness probes, no liveness checks, no startup probes	medium -- high
Resource Management	RS	15	No resource limits, no memory limits, no CPU limits, unbounded storage, no ephemeral storage limits	medium -- high
Networking & Exposure	NW	15	Exposing all ports, host networking, no network policy, publishing on 0.0.0.0, insecure registries	medium -- critical
Orchestration & Compose	OR	15	No restart policy, no replicas, hardcoded IPs in compose, no volume mounts for secrets, latest tag in compose	low -- high

Tier-Based Pattern Access

Tier	Patterns	Categories
Free	30	DF, SC
Pro	60	DF, SC, HC, RS
Team	90	DF, SC, HC, RS, NW, OR
Enterprise	90	DF, SC, HC, RS, NW, OR + priority support

Scoring

ContainerLint uses a deductive scoring system starting at 100 (perfect):

Severity	Point Deduction	Description
Critical	-25 per finding	Severe security vulnerability (privileged mode, exposed secrets)
High	-15 per finding	Significant security problem (running as root, no resource limits)
Medium	-8 per finding	Moderate concern (latest tag, missing health check)
Low	-3 per finding	Informational / best practice suggestion

Grading Scale

Grade	Score Range	Meaning
A	90-100	Excellent container security
B	80-89	Good security with minor issues
C	70-79	Acceptable but needs improvement
D	60-69	Poor container security
F	Below 60	Critical security problems

Pass threshold: 70 (Grade C or better)
Exit code 0 = pass (score >= 70)
Exit code 1 = fail (score < 70)

Configuration

Users can configure ContainerLint in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "containerlint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

Free tier works immediately with no configuration
All scanning happens locally -- no code is sent to external servers
License validation is offline -- no phone-home or network calls
Pattern matching only -- no AST parsing, no external dependencies beyond bash
Supports scanning all file types in a single pass
Git hooks use lefthook which must be installed (see install metadata above)
Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
Output formats: text (default), json, html

Error Handling

If lefthook is not installed and user tries hooks, prompt to install it
If license key is invalid or expired, show clear message with link to https://containerlint.pages.dev/renew
If a file is binary, skip it automatically with no warning
If no scannable files found in target, report clean scan with info message
If an invalid category is specified with --category, show available categories

When to Use ContainerLint

The user might say things like:

"Scan my code for Dockerfile issues"
"Check my container security"
"Find privileged containers"
"Detect missing health checks"
"Are there any hardcoded secrets in my Docker files?"
"Check for missing resource limits"
"Audit my container security practices"
"Find insecure Docker configurations"
"Check for missing network policies"
"Scan for container anti-patterns"
"Run a container security audit"
"Generate a container security report"
"Check if my containers have proper resource limits"
"Find containers running as root"
"Check my docker-compose for anti-patterns"

Comments

Loading comments...