container-hardening

Solid

Harden container images and Kubernetes workload security contexts — distroless, multi-stage, minimal attack surface.

AI & Automation 14 stars 3 forks Updated 3 days ago MIT

Install

View on GitHub

Quality Score: 86/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Skill: Container Hardening > **Expertise:** Minimal images, distroless, multi-stage builds, security context, Dockerfile best practices, Trivy scanning. ## When to load When building a new Dockerfile, hardening an existing image, failing Trivy scan, or setting up pod security contexts. ## Hardened Dockerfile (Python example) ```dockerfile # ── Stage 1: Build (has build tools, not in final image) ── FROM python:3.12-slim@sha256:<pinned-digest> AS builder WORKDIR /app COPY requirements.txt . RUN pip install --user --no-cache-dir -r requirements.txt # ── Stage 2: Runtime (minimal, no build tools) ─────────── FROM python:3.12-slim@sha256:<pinned-digest> # Create non-root user RUN groupadd -r appgroup --gid=1000 && \ useradd -r -g appgroup --uid=1000 --no-create-home appuser WORKDIR /app # Copy only built artifacts from builder COPY --from=builder /root/.local /home/appuser/.local COPY --chown=appuser:appgroup src/ ./src/ # Remove SETUID binaries (attack surface reduction) RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true # Switch to non-root USER 1000:1000 # Read-only filesystem friendly: temp dir for app writes VOLUME ["/tmp"] EXPOSE 8080 # Prefer exec form (handles signals correctly) ENTRYPOINT ["python", "-m", "uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8080"] ``` ## Distroless (Go example — smallest attack surface) ```dockerfile FROM golang:1.23-alpine AS builder WORKDIR /app COPY . . RUN CGO_ENABLED=0 GOOS=linux go...

Details

Author: sawrus
Repository: sawrus/agent-guides
Created: 3 months ago
Last Updated: 3 days ago
Language: Shell
License: MIT

Integrates with

Docker · Infrastructure Kubernetes · Infrastructure

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-container-image-hardening

This skill covers hardening container images by minimizing attack surface, removing unnecessary packages, implementing multi-stage builds, configuring non-root users, and applying CIS Docker Benchmark recommendations to produce secure production-ready images.

12,642 Updated today

mukul975

DevOps & Infrastructure Listed

container-hardening

Docker and OCI image hardening — base-image selection, USER/caps/read-only FS discipline, distroless migration, build-time scanning with trivy/grype, image signing via sigstore, and runtime guardrails (seccomp, AppArmor).

4 Updated 1 weeks ago

roodlicht

DevOps & Infrastructure Listed

docker-k8s

Master containerization and orchestration with security-first approach. Expert in Docker multi-stage builds, Kubernetes zero-trust deployments, security hardening, GitOps workflows, and production-ready patterns for cloud-native applications. Includes 2025 best practices from CNCF and major cloud providers.

335 Updated today

aiskillstore

DevOps & Infrastructure Featured

hardening-docker-containers-for-production

Hardening Docker containers for production involves applying security best practices aligned with CIS Docker Benchmark v1.8.0 to minimize attack surface, prevent privilege escalation, and enforce leas

12,642 Updated today

mukul975

AI & Automation Featured

implementing-container-image-minimal-base-with-distroless

Reduce container attack surface by building application images on Google distroless base images that contain only the application runtime with no shell, package manager, or unnecessary OS utilities.

12,642 Updated today

mukul975