Pin base images by digest, enforce non-root, and harden Dockerfiles
npx claudepluginhub latiotech/secure-supply-chain-skills --plugin supply-chain-securityDockerfile-pathAudit and harden container images for supply chain security. **This command takes action by default** - it pins base images to digests, adds non-root users, and fixes Dockerfile issues. Changes are explained as they are made.
Read `${CLAUDE_PLUGIN_ROOT}/skills/supply-chain-hardening/references/container-configs.md` for detailed configurations.
## Detection
Find all Dockerfiles in the project:
- `Dockerfile`
- `Dockerfile.*` (e.g., `Dockerfile.prod`, `Dockerfile.dev`)
- `*.dockerfile`
- `docker-compose.yml` / `docker-compose.*.yml` (for image references)
If $1 is provided, focus on that .../dockerCreates/optimizes Docker setups with multi-stage Dockerfiles, docker-compose.yml for local dev, .dockerignore, security scans (Trivy/Snyk), image slimming, and BuildKit. Supports flags like --init, --optimize, --security.
/optimize-dockerfileOptimizes existing Dockerfile for smaller images, faster builds, and better security. Outputs before/after size and layer comparisons, change summaries, and runtime verification.
/audit-dockerAudits Docker configuration including Dockerfile, Compose files, security, performance, architecture, and production readiness. Produces scored report with severity-ranked issues and recommendations.
/dockerfileGenerates optimized multi-stage Dockerfile with layer caching, non-root user, security best practices, and health checks tailored to the project's language/framework. Supports --base, --multistage, --output flags.
/containerizeCreate optimized Dockerfile following best practices and security standards.
Share bugs, ideas, or general feedback.
Audit and harden container images for supply chain security. This command takes action by default - it pins base images to digests, adds non-root users, and fixes Dockerfile issues. Changes are explained as they are made.
Read ${CLAUDE_PLUGIN_ROOT}/skills/supply-chain-hardening/references/container-configs.md for detailed configurations.
Find all Dockerfiles in the project:
DockerfileDockerfile.* (e.g., Dockerfile.prod, Dockerfile.dev)*.dockerfiledocker-compose.yml / docker-compose.*.yml (for image references)If $1 is provided, focus on that specific Dockerfile.
Dockerfiles were found. Check if hadolint is installed (which hadolint).
If not installed, tell the user:
Recommended: install hadolint — a Dockerfile linter that catches security misconfigurations, unpinned base images, and bad practices that manual review misses.
# macOS brew install hadolint # or via Docker docker pull hadolint/hadolintOnce installed, re-run this command for scanner-driven results. Continuing with pattern-based analysis for now.
For each Dockerfile, work through these in order. Make each change directly, explain what was done and why, then move to the next.
If hadolint is installed, run it against each Dockerfile:
hadolint Dockerfile
Parse and report findings grouped by severity. Use Hadolint's output to prioritize the fixes below — address scanner findings first. If Hadolint flags an issue that a later step would also catch (e.g., unpinned base image, running as root), fix it here and note it as "confirmed by Hadolint" when you reach that step.
Look for FROM directives. For each that uses a tag without a digest:
Important: get the multi-arch manifest digest, not a platform-specific digest. Using docker pull + docker inspect pins to your local platform's digest (e.g., arm64 on a Mac), which will break CI builds on linux/amd64. Instead, use registry-level tools that return the manifest list digest:
Preferred — docker buildx imagetools inspect (no pull needed, returns the manifest list digest):
docker buildx imagetools inspect {image}:{tag} --format '{{json .Manifest}}' | jq -r '.digest'
Alternative — crane digest (if crane is installed):
crane digest {image}:{tag}
Fallback — if neither is available, add a # TODO: pin to manifest digest comment with the docker buildx imagetools inspect command. Do NOT use docker pull + docker inspect — this pins to a single platform and will break cross-platform builds.
FROM node:18-alpine → FROM node:18-alpine@sha256:abc123...For images using :latest or no tag at all, flag these prominently — they're the highest risk. Pin to a specific version tag AND its manifest digest.
For each Dockerfile, check if there's a USER directive before CMD/ENTRYPOINT. If not:
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
Scan for hardcoded secrets, API keys, or credentials in:
ENV directives with values that look like secretsCOPY or ADD of .env filesARG with default secret valuesFor each finding:
--secret mounts, or environment variables at runtime.dockerignore exists and includes .env*, .git, node_modules, etc.If .dockerignore doesn't exist, create one with common patterns.
If the Dockerfile installs build tools (gcc, make, build-essential, -dev packages) in the final image:
After making all changes, provide a summary:
## Container Hardening Summary
### Changes Made
- [x] Pinned N base images to digests in [files]
- [x] Added non-root user to N Dockerfiles
- [x] Created .dockerignore
- [x] Converted [file] to multi-stage build
### Manual Steps Needed
- [ ] Pin digest for [image] (docker not available - run the provided command)
- [ ] Remove secret from [file:line] and use Docker secrets instead
### Recommended Next Steps
- Run `/setup-image-signing` to sign images with Cosign/Sigstore
- Run `/setup-admission-control` to enforce signed-only images in your cluster