name	docker-security
description	Secure Docker containers and images with hardening, scanning, and secrets management
sasmp_version	1.3.0
bonded_agent	06-docker-security
bond_type	PRIMARY_BOND

Docker Security Skill

Master container security hardening, vulnerability scanning, and secrets management following CIS Docker Benchmark.

Purpose

Implement security best practices for Docker containers and images including non-root users, capability dropping, and vulnerability scanning.

Parameters

Parameter	Type	Required	Default	Description
image	string	No	-	Image to scan
severity	enum	No	HIGH	CRITICAL/HIGH/MEDIUM/LOW
compliance	string	No	CIS	CIS/NIST/SOC2

Security Hardening

Non-Root User (MANDATORY)

# Create non-root user
RUN addgroup -g 1001 app && \
    adduser -u 1001 -G app -D app

# Set ownership
COPY --chown=app:app . /app

# Switch user
USER app

Read-Only Filesystem

docker run --read-only \
  --tmpfs /tmp:rw,noexec,nosuid \
  myapp:latest

Drop Capabilities

docker run \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  myapp:latest

Complete Hardened Run

docker run \
  --security-opt no-new-privileges:true \
  --cap-drop ALL \
  --read-only \
  --user 1001:1001 \
  --pids-limit 100 \
  --memory 512m \
  myapp:latest

Vulnerability Scanning

Trivy

# Basic scan
trivy image myapp:latest

# Filter by severity
trivy image --severity CRITICAL,HIGH myapp:latest

# CI/CD integration (fail on critical)
trivy image --exit-code 1 --severity CRITICAL myapp:latest

# JSON output
trivy image --format json --output report.json myapp:latest

Docker Scout

# Quick scan
docker scout cves myapp:latest

# Detailed report
docker scout cves --format markdown myapp:latest

Secrets Management

Docker Compose Secrets

services:
  database:
    image: postgres:16-alpine
    secrets:
      - db_password
    environment:
      POSTGRES_PASSWORD_FILE: /run/secrets/db_password

secrets:
  db_password:
    file: ./secrets/db_password.txt

BuildKit Secrets

# syntax=docker/dockerfile:1
RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
    npm install

docker build --secret id=npmrc,src=.npmrc .

Secure Dockerfile

FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM gcr.io/distroless/nodejs20-debian12
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER nonroot
CMD ["dist/index.js"]

Error Handling

Common Errors

Error	Cause	Solution
`permission denied`	Non-root user	Fix file ownership
`read-only filesystem`	Read-only mode	Use tmpfs mounts
`operation not permitted`	Missing capability	Add specific cap

Fallback Strategy

Start without restrictions
Add security options incrementally
Test each restriction

Troubleshooting

Debug Checklist

Running as non-root? docker exec <c> id
Scanned for vulnerabilities?
Capabilities dropped?
Secrets not in env vars?

CIS Benchmark

docker run --rm --net host --pid host \
  -v /var/run/docker.sock:/var/run/docker.sock \
  docker/docker-bench-security

Usage

Skill("docker-security")

Related Skills

dockerfile-basics
docker-production

docker-security

Install Skill

SKILL.md