Skill-Datei

Docker Security

Name: Docker Security
Author: majiayu000

Secure Docker containers and images with hardening, scanning, and secrets management

majiayu000200 Sterne22.01.2026

Beruf: Netzwerk- und Computersystemadministratoren
Kategorien: Container

Skill-Inhalt

Docker Security Skill

Master container security hardening, vulnerability scanning, and secrets management following CIS Docker Benchmark.

Purpose

Implement security best practices for Docker containers and images including non-root users, capability dropping, and vulnerability scanning.

Parameters

Parameter	Type	Required	Default	Description
image	string	No	-	Image to scan
severity	enum	No	HIGH	CRITICAL/HIGH/MEDIUM/LOW
compliance	string	No	CIS	CIS/NIST/SOC2

Security Hardening

Non-Root User (MANDATORY)

Verwandte Skills

Docker Security | Skills Pool

# Create non-root user
RUN addgroup -g 1001 app && \
    adduser -u 1001 -G app -D app

# Set ownership
COPY --chown=app:app . /app

# Switch user
USER app

docker run --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  myapp:latest

docker run \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  myapp:latest

docker run \
  --security-opt no-new-privileges:true \
  --cap-drop ALL \
  --read-only \
  --user 1001:1001 \
  --pids-limit 100 \
  --memory 512m \
  myapp:latest

# Basic scan
trivy image myapp:latest

# Filter by severity
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD integration (fail on critical)
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# JSON output
trivy image --format json --output report.json myapp:latest

# Quick scan
docker scout cves myapp:latest

# Detailed report
docker scout cves --format markdown myapp:latest

Docker Security

Docker Security Skill

Purpose

Parameters

Security Hardening

Non-Root User (MANDATORY)

Docker Security

Docker Security Skill

Purpose

Parameters

Security Hardening

Non-Root User (MANDATORY)

Read-Only Filesystem

Drop Capabilities

Complete Hardened Run

Vulnerability Scanning

Trivy

Docker Scout

Secrets Management

Docker Compose Secrets

Helm Chart Scaffolding

Python Observability

K8s Manifest Generator

Istio Traffic Management

Secrets Management

Gitops Workflow