Official Verified

dockerfile-hardening-audit

Statically audit Dockerfiles for common container hardening risks (root user, unpinned/latest base images, missing healthchecks, and risky build patterns).

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/daniellummis/dockerfile-hardening-audit

Download Source Code (.zip)

Dockerfile Hardening Audit

Use this skill to statically audit Dockerfiles before insecure container defaults land in production.

What this skill does

Scans Dockerfiles and scores hardening risk per file
Flags missing non-root USER declarations
Flags base images using floating tags (:latest, :main, :master, :edge) or no tag/digest
Flags missing HEALTHCHECK
Flags ADD instructions (when COPY is safer/clearer)
Flags curl|bash/wget|sh style remote script execution
Supports include/exclude regex filters and fail-gate mode

Inputs

Optional:

DOCKERFILE_GLOB (default: **/Dockerfile*)
TOP_N (default: 20)
OUTPUT_FORMAT (text or json, default: text)
WARN_SCORE (default: 3)
CRITICAL_SCORE (default: 6)
REQUIRE_NON_ROOT_USER (0/1, default: 1)
REQUIRE_HEALTHCHECK (0/1, default: 1)
FLAG_FLOATING_TAGS (0/1, default: 1)
FLAG_UNPINNED_IMAGES (0/1, default: 1)
FLAG_ADD_INSTRUCTIONS (0/1, default: 1)
FLAG_REMOTE_SCRIPT_PIPE (0/1, default: 1)
FILE_MATCH (regex include filter on Dockerfile path, optional)
FILE_EXCLUDE (regex exclude filter on Dockerfile path, optional)
FAIL_ON_CRITICAL (0 or 1, default: 0)

Run

Text report:

DOCKERFILE_GLOB='**/Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

JSON output + fail gate:

DOCKERFILE_GLOB='**/Dockerfile*' \
OUTPUT_FORMAT=json \
FAIL_ON_CRITICAL=1 \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Run against bundled fixtures:

DOCKERFILE_GLOB='skills/dockerfile-hardening-audit/fixtures/*Dockerfile*' \
bash skills/dockerfile-hardening-audit/scripts/dockerfile-hardening-audit.sh

Output contract

Exit 0 in report mode (default)
Exit 1 when FAIL_ON_CRITICAL=1 and one or more Dockerfiles are critical
Text mode prints summary + ranked Dockerfile risks
JSON mode prints summary + ranked Dockerfiles + critical Dockerfiles

Read Full Documentation on GitHub

Metadata

Author@daniellummis

Stars3376

Updated2026-03-24

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-daniellummis-dockerfile-hardening-audit": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

github-actions-recovery-latency-audit

Measure GitHub Actions failure recovery latency and unresolved incident age by workflow group.

daniellummis 3376

github-actions-cache-hardening-audit

Audit GitHub Actions workflow cache usage for poisoning, keying, and secret-path risks.

daniellummis 3376

render-env-guard

Preflight-check Render service environment variables before deploys; catches missing keys and placeholder/template values that commonly break production rollouts.

daniellummis 3376

github-actions-trigger-health-audit

Audit GitHub Actions run health by trigger event and workflow so flaky or noisy automation sources are easy to prioritize.

daniellummis 3376

github-actions-run-gap-audit

Detect GitHub Actions workflow groups that stopped running on their normal cadence using median run intervals and current inactivity gap.

daniellummis 3376