configure-container

Check and configure comprehensive container infrastructure against project standards with emphasis on minimal images, non-root users, and security hardening.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "configure-container" with this command: npx skills add laurigates/claude-plugins/laurigates-claude-plugins-configure-container

/configure:container

Check and configure comprehensive container infrastructure against project standards with emphasis on minimal images, non-root users, and security hardening.

When to Use This Skill

Use this skill when... Use another approach when...

Auditing container infrastructure compliance (Dockerfile, workflows, scanning) Writing a Dockerfile from scratch (/configure:dockerfile )

Checking multi-stage builds, non-root users, and security hardening Configuring Kubernetes deployments (/configure:skaffold )

Setting up container build workflows with GHCR and multi-platform support Running vulnerability scans on a built image (Trivy CLI directly)

Verifying .dockerignore , OCI labels, and base image versions Configuring devcontainer features for VS Code

Adding Trivy/Grype scanning to CI pipelines Debugging container runtime issues (system-debugging agent)

Context

  • Dockerfiles: !find . -maxdepth 2 ( -name 'Dockerfile' -o -name 'Dockerfile.' -o -name '.Dockerfile' )

  • Docker ignore: !find . -maxdepth 1 -name '.dockerignore'

  • Container workflows: !find .github/workflows -maxdepth 1 ( -name 'container' -o -name 'docker' -o -name 'build' )

  • Devcontainer: !find .devcontainer -maxdepth 1 -name 'devcontainer.json'

  • Skaffold: !find . -maxdepth 1 -name 'skaffold.yaml'

  • Package files: !find . -maxdepth 1 ( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' )

  • Project standards: !find . -maxdepth 1 -name '.project-standards.yaml'

Parameters

Parse from command arguments:

  • --check-only : Report compliance status without modifications (CI/CD mode)

  • --fix : Apply fixes automatically without prompting

  • --component <name> : Check specific component only (dockerfile, workflow, registry, scanning, devcontainer)

Security Philosophy

Minimal Attack Surface: Smaller images = fewer vulnerabilities. Use Alpine (~5MB) for Node.js, slim (~50MB) for Python.

Non-Root by Default: ALL containers MUST run as non-root users.

Multi-Stage Required: Separate build and runtime environments. Build tools and dev dependencies should NOT be in production images.

Execution

Execute this container infrastructure compliance check:

Step 1: Detect container-related files

Search for Dockerfile, workflow files, devcontainer config, and .dockerignore . Detect the project type (frontend, python, go, rust, infrastructure) from package files.

Step 2: Look up latest base image versions

Use WebSearch or WebFetch to verify current versions before flagging outdated images:

  • Node.js Alpine images: Check Docker Hub for latest LTS Alpine tags

  • Python slim images: Check Docker Hub for latest slim tags

  • nginx Alpine: Check Docker Hub for latest Alpine tags

  • GitHub Actions: Check release pages for latest action versions

  • Trivy: Check aquasecurity/trivy-action releases

Step 3: Analyze each component

Check each component against standards:

Dockerfile Standards:

Check Standard Severity

Exists Required for containerized projects FAIL if missing

Multi-stage Required (build + runtime stages) FAIL if missing

HEALTHCHECK Required for K8s probes FAIL if missing

Non-root user REQUIRED (not optional) FAIL if missing

.dockerignore Required WARN if missing

.dockerignore Dockerfile*

Use glob to exclude all Dockerfile variants from context WARN if only Dockerfile

Base image version Latest stable (check Docker Hub) WARN if outdated

Minimal base Alpine for Node, slim for Python WARN if bloated

Base Image Standards (verify latest before reporting):

Language Build Image Runtime Image Size Target

Node.js node:24-alpine (LTS) nginx:1.27-alpine

< 50MB

Python python:3.13-slim

python:3.13-slim

< 150MB

Go golang:1.23-alpine

scratch or alpine:3.21

< 20MB

Rust rust:1.84-alpine

alpine:3.21

< 20MB

Security Hardening Standards:

Check Standard Severity

Non-root USER Required (create dedicated user) FAIL if missing

Read-only FS --read-only or RO annotation INFO if missing

No new privileges --security-opt=no-new-privileges

INFO if missing

Drop capabilities --cap-drop=all

  • explicit --cap-add

INFO if missing

No secrets in image No ENV with sensitive data FAIL if found

Build Workflow Standards:

Check Standard Severity

Workflow exists container-build.yml or similar FAIL if missing

checkout action v4+ WARN if older

build-push-action v6+ WARN if older

Multi-platform linux/amd64,linux/arm64 WARN if missing

Build caching GHA cache enabled WARN if missing

Security scan Trivy/Grype in workflow WARN if missing

id-token: write

Required when provenance/SBOM configured WARN if missing

Cache scope Explicit scope= for multi-image builds WARN if missing

Scanner pinned Trivy/Grype action pinned by SHA (not @master ) WARN if unpinned

Container Labels Standards (GHCR Integration):

Check Standard Severity

org.opencontainers.image.source

Required - Links to repository WARN if missing

org.opencontainers.image.description

Required - Package description WARN if missing

org.opencontainers.image.licenses

Required - SPDX license WARN if missing

Run /configure:dockerfile for detailed Dockerfile checks if needed.

Step 4: Generate compliance report

Print a formatted compliance report:

Container Infrastructure Compliance Report

Project Type: frontend (detected)

Component Status: Dockerfile PASS Build Workflow PASS Registry Config PASS Container Scanning WARN (missing) Devcontainer SKIP (not required) .dockerignore PASS

Dockerfile Checks: Multi-stage 2 stages PASS HEALTHCHECK Present PASS Base images node:22, nginx PASS

Build Workflow Checks: Workflow container-build.yml PASS checkout v4 PASS build-push-action v6 PASS Multi-platform amd64,arm64 PASS GHA caching Enabled PASS

Container Labels Checks: image.source In metadata-action PASS image.description Custom label set PASS image.licenses Not configured WARN

Recommendations:

  • Add org.opencontainers.image.licenses label to workflow
  • Add Trivy or Grype vulnerability scanning to CI

Overall: 2 warnings, 1 info

If --check-only , stop here.

Step 5: Apply fixes (if --fix or user confirms)

  • Missing Dockerfile: Run /configure:dockerfile --fix

  • Missing build workflow: Create from template in REFERENCE.md

  • Missing scanning: Add Trivy scanning job

  • Missing .dockerignore: Create standard .dockerignore from REFERENCE.md

  • Outdated actions: Update version numbers

Step 6: Update standards tracking

Update .project-standards.yaml :

components: container: "2025.1" dockerfile: "2025.1" container-workflow: "2025.1"

For detailed templates (Dockerfile, workflow, devcontainer, .dockerignore), see REFERENCE.md.

Agentic Optimizations

Context Command

Quick compliance check /configure:container --check-only

Auto-fix all issues /configure:container --fix

Dockerfile only /configure:container --check-only --component dockerfile

Workflow only /configure:container --check-only --component workflow

Scanning only /configure:container --fix --component scanning

Find all Dockerfiles find . -maxdepth 2 ( -name 'Dockerfile' -o -name 'Dockerfile.*' ) 2>/dev/null

Flags

Flag Description

--check-only

Report status without offering fixes

--fix

Apply fixes automatically

--component <name>

Check specific component only (dockerfile, workflow, registry, scanning, devcontainer)

Component Dependencies

Container Infrastructure ├── Dockerfile (required) │ └── .dockerignore (recommended) ├── Build Workflow (required for CI/CD) │ ├── Registry config │ └── Multi-platform builds ├── Container Scanning (recommended) │ └── SBOM generation (optional) └── Devcontainer (optional) └── VS Code extensions

Notes

  • Multi-platform builds: Essential for M1/M2 Mac developers and ARM servers

  • GHCR: GitHub Container Registry is preferred for GitHub-hosted projects

  • Trivy: Recommended scanner for comprehensive vulnerability detection

  • Alpine vs Slim: Use Alpine for Node.js/Go/Rust. Use slim (Debian) for Python (musl compatibility issues)

  • Non-root is mandatory: Never run containers as root in production

  • Version pinning: Always use specific version tags, never latest

See Also

  • /configure:dockerfile

  • Dockerfile-specific configuration

  • /configure:workflows

  • GitHub Actions workflow configuration

  • /configure:skaffold

  • Kubernetes development configuration

  • /configure:security

  • Security scanning configuration

  • /configure:all

  • Run all compliance checks

  • container-development skill - Container best practices

  • ci-workflows skill - CI/CD workflow patterns

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

claude-security-settings

No summary provided by upstream source.

Repository SourceNeeds Review
-53
laurigates
Security

configure-security

No summary provided by upstream source.

Repository SourceNeeds Review
-49
laurigates
Security

meta-audit

No summary provided by upstream source.

Repository SourceNeeds Review
-48
laurigates