Audit Dockerfile and docker-compose.yml against security, performance, and production readiness checklist. Dispatches dockerfile-reviewer agent for detailed analysis.
Audits Dockerfiles and docker-compose configurations for security, performance, and production readiness best practices.
npx claudepluginhub jugrajsingh/skillgardenThis skill is limited to using the following tools:
Comprehensive audit of Dockerfile and docker-compose.yml against best practices.
| Check | Pass Criteria |
|---|---|
| Non-root USER | USER directive present, not root |
| No secrets in ENV/ARG | No passwords, keys, tokens in ENV or ARG |
| Base image pinned | Specific version tag, not :latest |
| No --privileged | compose services don't use privileged mode |
| .dockerignore exists | Excludes .env, .git, secrets |
| No ADD for remote URLs | COPY preferred over ADD |
| Check | Pass Criteria |
|---|---|
| Multi-stage build | Multiple FROM statements |
| Deps before source | COPY lock files before source code |
| Cache mounts used | --mount=type=cache for package managers |
| .dockerignore comprehensive | Excludes node_modules, pycache, .git, tests |
| Minimal base image | alpine, slim, or distroless variants |
| Package cache cleaned | apt-get clean or rm -rf /var/lib/apt/lists in same RUN |
| Check | Pass Criteria |
|---|---|
| HEALTHCHECK defined | HEALTHCHECK instruction in Dockerfile |
| Exec form CMD | CMD uses JSON array, not shell form |
| PID 1 handling | App is PID 1 or uses tini/dumb-init |
| Restart policy | restart: unless-stopped in compose |
| Resource limits | mem_limit/cpus set in compose |
| Logging to stdout | No file-based logging in CMD |
| Check | Pass Criteria |
|---|---|
| Named networks | Custom network, not default bridge |
| Health conditions | depends_on uses condition: service_healthy |
| Named volumes | No anonymous volumes |
| No hardcoded secrets | Environment uses variable references or env_file |
| Service ordering | depends_on with health checks |
Glob: Dockerfile, Dockerfile.*, docker-compose*.yml, docker-compose*.yaml, .dockerignore
For each file found, evaluate all relevant checks.
For detailed Dockerfile analysis, dispatch the dockerfile-reviewer agent:
Task: dockerfile-reviewer agent
Input: Dockerfile path and optional compose path
Output: Structured review with severity levels
Use the audit-report.md template. Fill in:
After presenting the report, ask via AskUserQuestion:
| Priority | Criteria |
|---|---|
| High | Security: root user, secrets in image, no .dockerignore |
| Medium | Performance: no multi-stage, no cache mounts, large base image |
| Low | Production: missing HEALTHCHECK, shell form CMD, no resource limits |