From configure-plugin
Checks and configures container infrastructure including Dockerfiles, build workflows, registries, scanning, and devcontainers for minimal images, non-root users, and security hardening.
npx claudepluginhub laurigates/claude-plugins --plugin configure-pluginThis skill is limited to using the following tools:
Check and configure comprehensive container infrastructure against project standards with emphasis on **minimal images**, **non-root users**, and **security hardening**.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Check and configure comprehensive container infrastructure against project standards with emphasis on minimal images, non-root users, and security hardening.
| Use this skill when... | Use another approach when... |
|---|---|
| Auditing container infrastructure compliance (Dockerfile, workflows, scanning) | Writing a Dockerfile from scratch (/configure:dockerfile) |
| Checking multi-stage builds, non-root users, and security hardening | Configuring Kubernetes deployments (/configure:skaffold) |
| Setting up container build workflows with GHCR and multi-platform support | Running vulnerability scans on a built image (Trivy CLI directly) |
Verifying .dockerignore, OCI labels, and base image versions | Configuring devcontainer features for VS Code |
| Adding Trivy/Grype scanning to CI pipelines | Debugging container runtime issues (system-debugging agent) |
find . -maxdepth 2 \( -name 'Dockerfile' -o -name 'Dockerfile.*' -o -name '*.Dockerfile' \)find . -maxdepth 1 -name '.dockerignore'find .github/workflows -maxdepth 1 \( -name '*container*' -o -name '*docker*' -o -name '*build*' \)find .devcontainer -maxdepth 1 -name 'devcontainer.json'find . -maxdepth 1 -name 'skaffold.yaml'find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \)find . -maxdepth 1 -name '.project-standards.yaml'Parse from command arguments:
--check-only: Report compliance status without modifications (CI/CD mode)--fix: Apply fixes automatically without prompting--component <name>: Check specific component only (dockerfile, workflow, registry, scanning, devcontainer)Minimal Attack Surface: Smaller images = fewer vulnerabilities. Use Alpine (~5MB) for Node.js, slim (~50MB) for Python.
Non-Root by Default: ALL containers MUST run as non-root users.
Multi-Stage Required: Separate build and runtime environments. Build tools and dev dependencies should NOT be in production images.
Execute this container infrastructure compliance check:
Search for Dockerfile, workflow files, devcontainer config, and .dockerignore. Detect the project type (frontend, python, go, rust, infrastructure) from package files.
Use WebSearch or WebFetch to verify current versions before flagging outdated images:
Check each component against standards:
Dockerfile Standards:
| Check | Standard | Severity |
|---|---|---|
| Exists | Required for containerized projects | FAIL if missing |
| Multi-stage | Required (build + runtime stages) | FAIL if missing |
| HEALTHCHECK | Required for K8s probes | FAIL if missing |
| Non-root user | REQUIRED (not optional) | FAIL if missing |
| .dockerignore | Required | WARN if missing |
.dockerignore Dockerfile* | Use glob to exclude all Dockerfile variants from context | WARN if only Dockerfile |
| Base image version | Latest stable (check Docker Hub) | WARN if outdated |
| Minimal base | Alpine for Node, slim for Python | WARN if bloated |
Base Image Standards (verify latest before reporting):
| Language | Build Image | Runtime Image | Size Target |
|---|---|---|---|
| Node.js | node:24-alpine (LTS) | nginx:1.27-alpine | < 50MB |
| Python | python:3.13-slim | python:3.13-slim | < 150MB |
| Go | golang:1.23-alpine | scratch or alpine:3.21 | < 20MB |
| Rust | rust:1.84-alpine | alpine:3.21 | < 20MB |
Security Hardening Standards:
| Check | Standard | Severity |
|---|---|---|
| Non-root USER | Required (create dedicated user) | FAIL if missing |
| Read-only FS | --read-only or RO annotation | INFO if missing |
| No new privileges | --security-opt=no-new-privileges | INFO if missing |
| Drop capabilities | --cap-drop=all + explicit --cap-add | INFO if missing |
| No secrets in image | No ENV with sensitive data | FAIL if found |
Build Workflow Standards:
| Check | Standard | Severity |
|---|---|---|
| Workflow exists | container-build.yml or similar | FAIL if missing |
| checkout action | v4+ | WARN if older |
| build-push-action | v6+ | WARN if older |
| Multi-platform | linux/amd64,linux/arm64 | WARN if missing |
| Build caching | GHA cache enabled | WARN if missing |
| Security scan | Trivy/Grype in workflow | WARN if missing |
id-token: write | Required when provenance/SBOM configured | WARN if missing |
| Cache scope | Explicit scope= for multi-image builds | WARN if missing |
| Scanner pinned | Trivy/Grype action pinned by SHA (not @master) | WARN if unpinned |
Container Labels Standards (GHCR Integration):
| Check | Standard | Severity |
|---|---|---|
org.opencontainers.image.source | Required - Links to repository | WARN if missing |
org.opencontainers.image.description | Required - Package description | WARN if missing |
org.opencontainers.image.licenses | Required - SPDX license | WARN if missing |
Run /configure:dockerfile for detailed Dockerfile checks if needed.
Print a formatted compliance report:
Container Infrastructure Compliance Report
==============================================
Project Type: frontend (detected)
Component Status:
Dockerfile PASS
Build Workflow PASS
Registry Config PASS
Container Scanning WARN (missing)
Devcontainer SKIP (not required)
.dockerignore PASS
Dockerfile Checks:
Multi-stage 2 stages PASS
HEALTHCHECK Present PASS
Base images node:22, nginx PASS
Build Workflow Checks:
Workflow container-build.yml PASS
checkout v4 PASS
build-push-action v6 PASS
Multi-platform amd64,arm64 PASS
GHA caching Enabled PASS
Container Labels Checks:
image.source In metadata-action PASS
image.description Custom label set PASS
image.licenses Not configured WARN
Recommendations:
- Add org.opencontainers.image.licenses label to workflow
- Add Trivy or Grype vulnerability scanning to CI
Overall: 2 warnings, 1 info
If --check-only, stop here.
/configure:dockerfile --fixUpdate .project-standards.yaml:
components:
container: "2025.1"
dockerfile: "2025.1"
container-workflow: "2025.1"
For detailed templates (Dockerfile, workflow, devcontainer, .dockerignore), see REFERENCE.md.
| Context | Command |
|---|---|
| Quick compliance check | /configure:container --check-only |
| Auto-fix all issues | /configure:container --fix |
| Dockerfile only | /configure:container --check-only --component dockerfile |
| Workflow only | /configure:container --check-only --component workflow |
| Scanning only | /configure:container --fix --component scanning |
| Find all Dockerfiles | find . -maxdepth 2 \( -name 'Dockerfile' -o -name 'Dockerfile.*' \) 2>/dev/null |
| Flag | Description |
|---|---|
--check-only | Report status without offering fixes |
--fix | Apply fixes automatically |
--component <name> | Check specific component only (dockerfile, workflow, registry, scanning, devcontainer) |
Container Infrastructure
├── Dockerfile (required)
│ └── .dockerignore (recommended)
├── Build Workflow (required for CI/CD)
│ ├── Registry config
│ └── Multi-platform builds
├── Container Scanning (recommended)
│ └── SBOM generation (optional)
└── Devcontainer (optional)
└── VS Code extensions
latest/configure:dockerfile - Dockerfile-specific configuration/configure:workflows - GitHub Actions workflow configuration/configure:skaffold - Kubernetes development configuration/configure:security - Security scanning configuration/configure:all - Run all compliance checkscontainer-development skill - Container best practicesci-workflows skill - CI/CD workflow patterns