container-hardening
1
总安装量
1
周安装量
#54122
全站排名
安装命令
npx skills add https://github.com/bagelhole/devops-security-agent-skills --skill container-hardening
Agent 安装分布
opencode
1
codex
1
claude-code
1
Skill 文档
Container Hardening
Secure container images and runtime configurations.
When to Use This Skill
Use this skill when:
- Building secure container images
- Hardening container deployments
- Meeting container security requirements
- Implementing defense in depth
Dockerfile Security
# Use minimal base image
FROM alpine:3.18
# Don't run as root
RUN addgroup -g 1001 -S appgroup && \
adduser -u 1001 -S appuser -G appgroup
# Copy with specific ownership
COPY . /app
# Remove unnecessary packages
RUN apk del --purge build-dependencies && \
rm -rf /var/cache/apk/*
# Use non-root user
USER appuser
# Read-only filesystem support
WORKDIR /app
Runtime Security
# Run with security options
docker run -d \
--read-only \
--tmpfs /tmp \
--security-opt=no-new-privileges:true \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--user 1001:1001 \
myapp:latest
Kubernetes Security Context
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1001
fsGroup: 1001
containers:
- name: app
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
Image Scanning
# Scan with Trivy
trivy image --severity HIGH,CRITICAL myapp:latest
# Use distroless images
FROM gcr.io/distroless/static-debian11
Best Practices
- Use minimal base images
- Run as non-root user
- Enable read-only filesystem
- Drop all capabilities
- Scan images regularly
- Sign and verify images
- Use secrets management
Related Skills
- container-scanning – Vulnerability scanning
- kubernetes-hardening – K8s security