performing-container-image-hardening

Featured

This skill covers hardening container images by minimizing attack surface, removing unnecessary packages, implementing multi-stage builds, configuring non-root users, and applying CIS Docker Benchmark recommendations to produce secure production-ready images.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Container Image Hardening ## When to Use - When building production container images that need minimal attack surface - When compliance requires CIS Docker Benchmark adherence for container configurations - When reducing image size to minimize vulnerability exposure from unused packages - When implementing defense-in-depth for containerized workloads - When migrating from fat base images to distroless or minimal images **Do not use** for runtime container security monitoring (use Falco), for host-level Docker daemon hardening (use CIS Docker Benchmark host checks), or for container orchestration security (use Kubernetes security scanning). ## Prerequisites - Docker or BuildKit for multi-stage builds - Base image options: distroless, Alpine, slim, or scratch - Container scanning tool (Trivy) for validation - CIS Docker Benchmark reference ## Workflow ### Step 1: Use Multi-Stage Builds to Minimize Image Size ```dockerfile # Build stage with all dependencies FROM python:3.12-bookworm AS builder WORKDIR /build COPY requirements.txt . RUN pip install --no-cache-dir --prefix=/install -r requirements.txt COPY src/ ./src/ RUN python -m compileall src/ # Production stage with minimal base FROM python:3.12-slim-bookworm AS production RUN apt-get update && \ apt-get install -y --no-install-recommends libpq5 && \ rm -rf /var/lib/apt/lists/* && \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false COPY --from=builder /install /us...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Docker · Infrastructure Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

container-hardening

Harden container images and Kubernetes workload security contexts — distroless, multi-stage, minimal attack surface.

14 Updated 3 days ago
sawrus
DevOps & Infrastructure Listed

container-hardening

Docker and OCI image hardening — base-image selection, USER/caps/read-only FS discipline, distroless migration, build-time scanning with trivy/grype, image signing via sigstore, and runtime guardrails (seccomp, AppArmor).

4 Updated 1 weeks ago
roodlicht
DevOps & Infrastructure Featured

hardening-docker-containers-for-production

Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce leas

12,642 Updated today
mukul975
DevOps & Infrastructure Listed

docker-k8s

Master containerization and orchestration with security-first approach. Expert in Docker multi-stage builds, Kubernetes zero-trust deployments, security hardening, GitOps workflows, and production-ready patterns for cloud-native applications. Includes 2025 best practices from CNCF and major cloud providers.

335 Updated today
aiskillstore
DevOps & Infrastructure Listed

security-hardening

Reduces attack surface across OS, container, cloud, network, and database layers using CIS Benchmarks and zero-trust principles. Use when hardening production infrastructure, meeting compliance requirements, or implementing defense-in-depth security.

368 Updated 5 months ago
ancoleman