# Audit Dockerfiles with Hadolint Dockerfiles often hide insecure defaults, unpinned packages, and weak build patterns. This skill guides Hadolint scans, CI integration, and practical remediation for container builds. ## Install ```bash npx skillstore add agentsecops/container-hadolint ``` ## Metadata - - Slug: agentsecops-container-hadolint - - Version: 0.1.0 - - Author: AgentSecOps - - GitHub username: AgentSecOps - - License: MIT - - Repository: https://github.com/AgentSecOps/SecOpsAgentKit/tree/main/skills/devsecops/container-hadolint - - Ref: main - - Supported tools: Claude, Codex, Claude Code - - Risk level: medium - - Risk factors: external\_commands, network, filesystem, env\_access - - Quality score: 50 - - Quality tier: warning - - Public page: https://skillstore.pages.dev/skills/agentsecops-container-hadolint - - Manifest: https://skillstore.pages.dev/api/skills/agentsecops-container-hadolint/manifest ## Capabilities - Explain Hadolint findings and map them to Dockerfile security practices. - Generate local Hadolint commands for single or multiple Dockerfiles. - Recommend strict, balanced, or permissive Hadolint configuration profiles. - Provide GitHub Actions and GitLab CI patterns for Dockerfile linting. - Suggest remediation for common Dockerfile issues such as root users, ADD usage, and unpinned packages. - Help teams document Dockerfile linting results for security review. ## Use Cases - Developer Dockerfile Review: Check a Dockerfile before opening a pull request and get clear remediation steps for common Hadolint findings. - CI Policy Rollout: Add Hadolint to GitHub Actions or GitLab CI with thresholds that fit production and migration workflows. - Container Security Baseline: Create a Dockerfile linting baseline aligned with trusted registries, least privilege, and CIS Docker guidance. ## Prompt Templates ### Scan One Dockerfile ``` Review my Dockerfile with Hadolint guidance. Explain the most important security issues and suggest safe fixes. ``` ### Create a CI Check ``` Help me add Hadolint to CI for this repository. Use a warning threshold and explain any required permissions. ``` ### Tune Rule Severity ``` Design a Hadolint configuration for production Dockerfiles. Separate required security rules from advisory style rules. ``` ### Audit Multiple Services ``` Plan a Hadolint audit for all Dockerfiles in this monorepo. Group findings by risk and propose a phased remediation plan. ``` ## Limitations - It does not replace container image vulnerability scanning tools such as Trivy or Grype. - It cannot prove that a built image is secure after runtime dependencies are installed. - CI examples may need version pinning, checksum verification, and local policy adjustments. - Hadolint rule results can require human review for legacy or specialized Dockerfiles. ## Best Practices - Run Hadolint before image builds so Dockerfile defects fail early. - Pin base images, packages, actions, and downloaded tools wherever possible. - Record rule suppressions with a reason and an owner for later cleanup. ## Anti Patterns - Do not copy network installer examples into production CI without checksum or version controls. - Do not suppress broad Hadolint rule groups to make a pipeline pass quickly. - Do not treat Dockerfile linting as a replacement for runtime image scanning. ## Security Audit - - Safe to publish: true - - Audited at: 2026-06-28T05:11:40.35\+00:00 - - Summary: The static analyzer reported many severe patterns, but review shows most are Markdown examples or Hadolint configuration references, not hidden malicious behavior. The skill is safe to publish with a warning because it encourages external command execution and includes an unverified network installer pattern. ## Stats - - Views: 358 - - Downloads: 5 - - Favorites: 0 - - Popularity score: 0