Docker Security Skill

Master container security hardening, vulnerability scanning, and secrets management following CIS Docker Benchmark.

Purpose

Implement security best practices for Docker containers and images including non-root users, capability dropping, and vulnerability scanning.

Parameters

Parameter	Type	Required	Default	Description
image	string	No	-	Image to scan
severity	enum	No	HIGH	CRITICAL/HIGH/MEDIUM/LOW
compliance	string	No	CIS	CIS/NIST/SOC2

Security Hardening

Non-Root User (MANDATORY)

# Create non-root user
RUN addgroup -g 1001 app && \
    adduser -u 1001 -G app -D app

# Set ownership
COPY --chown=app:app . /app

# Switch user
USER app

Read-Only Filesystem

docker run --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  myapp:latest

Drop Capabilities

docker run \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  myapp:latest

Complete Hardened Run

docker run \
  --security-opt no-new-privileges:true \
  --cap-drop ALL \
  --read-only \
  --user 1001:1001 \
  --pids-limit 100 \
  --memory 512m \
  myapp:latest

Vulnerability Scanning

Trivy

# Basic scan
trivy image myapp:latest

# Filter by severity
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD integration (fail on critical)
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# JSON output
trivy image --format json --output report.json myapp:latest

Docker Scout

# Quick scan
docker scout cves myapp:latest

# Detailed report
docker scout cves --format markdown myapp:latest

Secrets Management

Docker Compose Secrets

services:
  database:
    image: postgres:16-alpine
    secrets:
      - db_password
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt

BuildKit Secrets

# syntax=docker/dockerfile:1
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
    npm install

docker build --secret id=npmrc,src=.npmrc .

Secure Dockerfile

FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER nonroot
CMD ["dist/index.js"]

Error Handling

Common Errors

Error	Cause	Solution
`permission denied`	Non-root user	Fix file ownership
`read-only filesystem`	Read-only mode	Use tmpfs mounts
`operation not permitted`	Missing capability	Add specific cap

Fallback Strategy

Start without restrictions
Add security options incrementally
Test each restriction

Troubleshooting

Debug Checklist

Running as non-root? docker exec <c> id
Scanned for vulnerabilities?
Capabilities dropped?
Secrets not in env vars?

CIS Benchmark

docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security

Usage

Skill("docker-security")

Related Skills

dockerfile-basics
docker-production

docker-security

Safety Notice

Copy this and send it to your AI assistant to learn

Docker Security Skill

Purpose

Parameters

Security Hardening

Non-Root User (MANDATORY)

Read-Only Filesystem

Drop Capabilities

Complete Hardened Run

Vulnerability Scanning

Trivy

Docker Scout

Secrets Management

Docker Compose Secrets

BuildKit Secrets

Secure Dockerfile

Error Handling

Common Errors

Fallback Strategy

Troubleshooting

Debug Checklist

CIS Benchmark

Usage

Related Skills

Source Transparency

Related Skills

docker-compose-setup

docker-optimization

docker-swarm