Docker配置验证器 - 全面检查Dockerfile与Compose文件，确保安全与最佳实践

Docker Configuration Validator by rknall/claude-skills

34 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/rknall/claude-skills --skill 'Docker Configuration Validator'

自动化开发运维安全

🇨🇳中文介绍

Docker 配置验证器

此技能为 Dockerfile 和 Docker Compose 文件提供全面的验证，确保符合最佳实践、安全标准和现代语法要求。

何时使用此技能

当用户请求以下内容时激活此技能：

验证 Dockerfile 或 Docker Compose 文件
审查 Docker 配置是否符合最佳实践
检查 Docker 安全问题
验证多阶段构建的实现
审核 Docker 设置是否满足生产就绪要求
确保符合现代 Docker Compose 语法
修复 Docker 配置问题
创建验证脚本或 CI/CD 集成

核心工作流程

阶段 1：初步评估

当用户请求 Docker 验证时，首先了解范围：

确定验证内容
- 单个 Dockerfile 还是多个？
- Docker Compose 文件？
- 整个项目目录？
- 特定的关注点或重点领域？
- 生产环境还是开发环境？
理解需求
- 所需的安全合规级别？
- 是否需要多阶段构建？
- 性能限制？
- 是否需要 CI/CD 集成？
- 是否需要自动化验证脚本？
检查可用工具
- Hadolint 是否可用？（Dockerfile 检查工具）
- DCLint 是否可用？（Docker Compose 检查工具）
- Docker CLI 是否可用？
- 是否应将工具安装作为流程的一部分？

阶段 2：Dockerfile 验证

步骤 1：定位 Dockerfile

查找项目中的所有 Dockerfile：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 3：Docker Compose 验证

步骤 1：定位 Compose 文件

查找所有 Docker Compose 文件：

find . -maxdepth 3 -type f \( -name "docker-compose*.yml" -o -name "docker-compose*.yaml" -o -name "compose*.yml" \)

步骤 2：检查过时的版本字段

关键检查： 现代 Docker Compose（v2.27.0+）不使用版本字段

# 检查过时的版本字段
if grep -q "^version:" docker-compose.yml; then
    echo "❌ 错误：发现过时的 'version' 字段"
    echo "移除 'version:' 行 - 它在 Compose v2.27.0+ 中已过时"
fi

旧（已弃用）：

version: '3.8'  # ❌ 移除此行
services:
  web:
    image: nginx:latest

新（现代）：

# 没有版本字段！
services:
  web:
    image: nginx:1.24-alpine

步骤 3：内置 Docker Compose 验证

# 语法验证
docker compose config --quiet

# 显示解析后的配置
docker compose config

# 验证特定文件
docker compose -f docker-compose.prod.yml config --quiet

步骤 4：DCLint 验证（如果可用）

# 检查 compose 文件
dclint docker-compose.yml

# 自动修复问题
dclint --fix docker-compose.yml

# JSON 输出
dclint --format json docker-compose.yml

步骤 5：手动 Compose 验证

1. 镜像最佳实践

✅ 检查：未使用 :latest 标签
✅ 检查：指定了具体版本
✅ 检查：镜像来自受信任的源

✅ 检查：定义了重启策略
✅ 检查：配置了健康检查
✅ 检查：设置了资源限制（可选但推荐）
✅ 检查：正确的服务依赖关系（depends_on）

✅ 检查：定义了自定义网络
✅ 检查：实现了网络隔离
✅ 检查：使用了适当的网络驱动程序

4. 卷与持久化

✅ 检查：为持久化使用命名卷
✅ 检查：指定了卷驱动程序
✅ 检查：绑定挂载使用绝对路径
✅ 检查：卷中没有敏感数据

5. 环境与密钥

✅ 检查：环境变量管理得当
✅ 检查：没有硬编码的密钥
✅ 检查：推荐使用 .env 文件
✅ 检查：配置了密钥管理

✅ 检查：未使用特权模式（除非必要）
✅ 检查：正确配置了能力
✅ 检查：指定了用户/组
✅ 检查：根文件系统只读（适用时）

阶段 4：多阶段构建深入分析

验证多阶段构建时，确保：

# 构建阶段
FROM node:20-bullseye AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build && npm run test

# 生产阶段
FROM node:20-alpine AS runtime
WORKDIR /app
COPY --from=builder /app/dist ./dist
USER node
CMD ["node", "dist/index.js"]

✅ 至少 2 个阶段（构建 + 运行时）
✅ 所有阶段都使用 AS 关键字命名
✅ 使用 COPY --from 在阶段间复制制品
✅ 最终阶段使用最小化基础镜像
✅ 最终阶段没有构建工具
✅ 最终镜像中只有必要的文件
✅ 最终阶段以非 root 用户身份运行

3. 要检查的常见模式

Node.js 多阶段：

构建阶段：安装所有依赖，构建，测试
运行时阶段：仅生产依赖，构建后的制品

Python 多阶段：

构建阶段：编译依赖，构建 wheel 包
运行时阶段：安装预构建的 wheel 包，仅应用

构建阶段：完整的 Go 工具链，编译二进制文件
运行时阶段：Scratch/distroless，仅二进制文件

阶段 5：安全审计

执行全面的安全检查：

1. 用户与权限

# 检查 USER 指令
USER_COUNT=$(grep -c "^USER " Dockerfile)
LAST_USER=$(grep "^USER " Dockerfile | tail -1 | awk '{print $2}')

if [ "$USER_COUNT" -eq 0 ]; then
    echo "❌ 严重：未指定 USER（以 root 身份运行！）"
elif [ "$LAST_USER" == "root" ] || [ "$LAST_USER" == "0" ]; then
    echo "❌ 严重：最终的 USER 是 root"
fi

2. 暴露的密钥

检查 ENV 中的密码
检查 COPY/ADD 中的 API 密钥
检查 RUN 命令中的凭据
推荐密钥管理解决方案

3. 易受攻击的基础镜像

检查基础镜像的年龄和支持状态
推荐安全扫描（Trivy, Snyk）
建议固定、受支持的版本

审查 EXPOSE 指令
检查是否暴露了不必要的端口
验证 Compose 中的端口映射

阶段 6：生成验证报告

构建验证报告：

# Docker 配置验证报告

## 执行摘要
- **分析的 Dockerfile 总数**：X
- **分析的 Compose 文件总数**：X
- **严重问题**：X
- **高优先级问题**：X
- **中优先级问题**：X
- **低优先级问题**：X
- **总体状态**：✅ 通过 / ⚠️ 警告 / ❌ 失败

## Dockerfile 分析

### [Dockerfile 路径]

#### 验证结果
✅ **通过**：实现了多阶段构建
✅ **通过**：以非 root 用户身份运行
⚠️  **警告**：使用 ADD 而非 COPY（第 15 行）
❌ **失败**：基础镜像使用 :latest 标签（第 1 行）

#### 安全评估
- **用户**：nodejs（非 root）✅
- **基础镜像**：node:latest ❌
- **密钥**：未检测到 ✅
- **健康检查**：存在 ✅

#### 多阶段构建分析
- **阶段数**：2（builder, runtime）
- **命名阶段**：是 ✅
- **阶段间复制**：1 ✅
- **最终基础镜像**：node:20-alpine ✅
- **最终镜像中的构建工具**：无 ✅

#### 发现的问题

**严重：**
1. 第 1 行：使用 :latest 标签
   - 问题：`FROM node:latest`
   - 修复：`FROM node:20-bullseye`
   - 影响：构建不可预测，安全风险

**高：**
2. 第 45 行：未清理包缓存
   - 问题：`RUN apt-get install -y curl`
   - 修复：添加 `&& rm -rf /var/lib/apt/lists/*`
   - 影响：镜像体积更大

**中：**
3. 第 15 行：使用 ADD 而非 COPY
   - 问题：`ADD app.tar.gz /app/`
   - 修复：`COPY app.tar.gz /app/`（或单独解压）
   - 影响：行为不够明确

## Docker Compose 分析

### [Compose 文件路径]

#### 验证结果
❌ **失败**：存在过时的 'version' 字段
⚠️  **警告**：3 个服务使用 :latest 标签
✅ **通过**：定义了自定义网络
✅ **通过**：配置了命名卷

#### 现代语法合规性
- **版本字段**：存在 ❌（必须移除）
- **具体标签**：5 个服务中的 2 个 ⚠️
- **重启策略**：所有服务 ✅
- **健康检查**：5 个服务中的 3 个 ⚠️

#### 发现的问题

**严重：**
1. 过时的 'version' 字段
   - 问题：`version: '3.8'`
   - 修复：移除整行
   - 影响：使用已弃用的语法

**高：**
2. 服务 'web' 使用 :latest 标签
   - 问题：`image: nginx:latest`
   - 修复：`image: nginx:1.24-alpine`
   - 影响：部署不可预测

3. 服务 'cache' 没有重启策略
   - 问题：缺少 `restart:` 指令
   - 修复：添加 `restart: unless-stopped`
   - 影响：服务不会自动恢复

## 建议

### 立即行动（严重）
1. 固定所有 Docker 镜像版本（移除 :latest）
2. 从 Compose 文件中移除过时的 'version' 字段
3. 确保所有服务以非 root 用户身份运行
4. 清理所有 Dockerfile 中的包管理器缓存

### 高优先级（生产前）
1. 为所有服务实现健康检查
2. 为所有 Compose 服务添加重启策略
3. 设置资源限制（内存、CPU）
4. 实现适当的密钥管理

### 中优先级（最佳实践）
1. 除非提取归档文件，否则使用 COPY 而非 ADD
2. 添加标签以更好地组织
3. 实现日志驱动程序
4. 为镜像添加元数据

### 低优先级（优化）
1. 在可能的情况下考虑使用更精简的基础镜像
2. 通过更好的排序优化层缓存
3. 添加全面的注释
4. 实现 .dockerignore 文件

## 后续步骤

1. **修复严重问题**（预计：30 分钟）
   - 固定镜像版本
   - 从 Compose 中移除版本字段
   - 添加 USER 指令

2. **处理高优先级问题**（预计：1-2 小时）
   - 添加健康检查
   - 配置重启策略
   - 设置资源限制

3. **重新验证**（预计：10 分钟）
   - 修复后再次运行验证
   - 确保所有严重问题已解决

4. **设置自动化**（预计：1 小时）
   - 添加预提交钩子
   - 集成到 CI/CD
   - 安排定期安全扫描

## 验证工具推荐

### 安装所需工具
```bash
# Hadolint (Dockerfile 检查工具)
brew install hadolint  # macOS
# 或
wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64

# DCLint (Docker Compose 检查工具)
npm install -g docker-compose-linter

# Trivy (安全扫描器)
brew install aquasecurity/trivy/trivy

自动化验证脚本

[根据项目需求提供自定义验证脚本]

[提供 GitHub Actions / GitLab CI 配置]

## 交付物

验证结束时，提供：

1. **全面的验证报告**
   - 包含总体状态的执行摘要
   - 每个文件的详细发现
   - 问题分类（严重 → 低）
   - 每个问题的具体修复方法
   - 优先排序的建议

2. **修复后的配置文件**（如请求）
   - 修正后的 Dockerfile
   - 更新后的 Compose 文件
   - .hadolint.yaml 配置
   - .dclintrc.json 配置

3. **验证脚本**（如请求）
   - 用于自动化验证的自定义 bash 脚本
   - 检查项目特定要求
   - 彩色编码输出
   - 用于 CI/CD 的退出代码

4. **CI/CD 集成**（如请求）
   - GitHub Actions 工作流
   - GitLab CI 配置
   - 预提交钩子
   - 与现有流水线的集成

5. **文档**
   - 如何在本地运行验证
   - 工具安装说明
   - 最佳实践指南
   - 常见问题及解决方案

## 验证脚本模板

当用户请求自动化验证时，创建此脚本：

```bash
#!/bin/bash
# docker-validation.sh

set -e

# 颜色代码
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

ERRORS=0
WARNINGS=0

echo -e "${BLUE}╔══════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║   Docker 配置验证器                    ║${NC}"
echo -e "${BLUE}╚══════════════════════════════════════════╝${NC}"

# 1. 先决条件检查
echo -e "\n${BLUE}━━━ 检查先决条件 ━━━${NC}"
command -v docker >/dev/null || { echo "❌ 未找到 Docker"; exit 1; }
command -v hadolint >/dev/null || echo "⚠️  未安装 Hadolint"

# 2. Dockerfile 验证
echo -e "\n${BLUE}━━━ 验证 Dockerfile ━━━${NC}"
find . -name "Dockerfile*" -type f | while read df; do
    echo "检查：$df"
    # [此处添加验证逻辑]
done

# 3. 多阶段构建检查
echo -e "\n${BLUE}━━━ 检查多阶段构建 ━━━${NC}"
# [多阶段验证逻辑]

# 4. Compose 验证
echo -e "\n${BLUE}━━━ 验证 Docker Compose ━━━${NC}"
find . -name "*compose*.yml" | while read cf; do
    # 检查过时的版本字段
    if grep -q "^version:" "$cf"; then
        echo -e "${RED}❌ $cf：存在过时的版本字段${NC}"
        ERRORS=$((ERRORS + 1))
    fi

    # 验证语法
    docker compose -f "$cf" config --quiet || ERRORS=$((ERRORS + 1))
done

# 5. 安全检查
echo -e "\n${BLUE}━━━ 安全审计 ━━━${NC}"
# [安全验证逻辑]

# 最终报告
echo -e "\n${BLUE}╔══════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║         验证摘要                        ║${NC}"
echo -e "${BLUE}╚══════════════════════════════════════════╝${NC}"

if [ $ERRORS -eq 0 ]; then
    echo -e "${GREEN}✅ 所有检查通过！${NC}"
    exit 0
else
    echo -e "${RED}❌ 发现 $ERRORS 个错误，$WARNINGS 个警告${NC}"
    exit 1
fi

name: Docker 验证

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  validate:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: 检查 Dockerfile
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: ./Dockerfile
          failure-threshold: error

      - name: 验证 Compose 文件
        run: |
          for f in $(find . -name "*compose*.yml"); do
            docker compose -f "$f" config --quiet
          done

      - name: 检查过时的版本字段
        run: |
          if grep -r "^version:" . --include="*compose*.yml"; then
            echo "错误：发现过时的版本字段"
            exit 1
          fi

stages:
  - validate

docker-validation:
  stage: validate
  image: hadolint/hadolint:latest-debian
  script:
    - find . -name "Dockerfile*" -exec hadolint {} \;
    - |
      for f in $(find . -name "*compose*.yml"); do
        if grep -q "^version:" "$f"; then
          echo "错误：$f 中存在过时的版本字段"
          exit 1
        fi
      done

全面彻底
- 系统地检查所有方面
- 如果工具不可用，不要跳过手动检查
- 验证语法和最佳实践
明确优先级
- 首先处理严重问题（安全、功能）
- 其次是高优先级（生产就绪性）
- 中低优先级作为改进项
提供具体修复方法
- 显示确切的行号
- 提供修复前后的代码
- 解释为何需要修复
- 包含影响评估
教育引导
- 解释 Docker 最佳实践
- 参考官方文档
- 提供学习资源
- 分享现代语法要求
可操作性强
- 提供分步修复方案
- 提供自动化脚本
- 建议 CI/CD 集成
- 估算修复工作量

模式 1：快速语法检查

运行 Hadolint 和 DCLint
检查过时的版本字段
使用 Docker Compose config 验证
仅报告严重语法错误

模式 2：完整生产审计

完整的 Dockerfile 验证
多阶段构建验证
安全审计
Compose 最佳实践
生成全面报告
提供自动化脚本

模式 3：安全重点审查

用户权限检查
密钥暴露扫描
基础镜像安全
网络暴露审计
安全扫描集成

模式 4：优化审查

多阶段构建有效性
层优化
镜像大小分析
构建时间改进
缓存策略

要强制执行的关键规则

Dockerfile 规则（严重）

✅ 无 :latest 标签（DL3006）
✅ 最后的 USER 不是 root（DL3002）
✅ 使用绝对路径 WORKDIR（DL3000）
✅ 固定包版本（DL3008, DL3013）
✅ 清理包缓存（DL3009）

Docker Compose 规则（严重）

✅ 无版本字段（自 v2.27.0 起已过时）
✅ 无 :latest 标签
✅ 定义了重启策略
✅ 配置了健康检查
✅ 为持久化使用命名卷

多阶段构建规则

✅ 至少 2 个阶段
✅ 使用 AS 命名阶段
✅ 使用 COPY --from 复制制品
✅ 最终基础镜像最小化
✅ 最终阶段无构建工具

安全规则（严重）

✅ 以非 root USER 身份运行
✅ 镜像中无密钥
✅ 最小化基础镜像
✅ 定期安全扫描
✅ 最小权限原则

提供建议时，参考：

Docker 最佳实践：官方 Docker 文档
Hadolint 规则：完整的规则参考
Compose 规范：最新的 Compose 规范
安全标准：CIS Docker 基准
多阶段构建：官方指南和示例

记住：Docker 验证是为了确保容器化应用程序的可靠、安全和高效。在保持开发者体验的同时，始终优先考虑安全和生产就绪性。

🇺🇸English

Docker Configuration Validator

This skill provides comprehensive validation for Dockerfiles and Docker Compose files, ensuring compliance with best practices, security standards, and modern syntax requirements.

When to Use This Skill

Activate this skill when the user requests:

Validate Dockerfiles or Docker Compose files
Review Docker configurations for best practices
Check for Docker security issues
Verify multi-stage build implementation
Audit Docker setup for production readiness
Ensure modern Docker Compose syntax compliance
Fix Docker configuration issues
Create validation scripts or CI/CD integration

Core Workflow

Phase 1: Initial Assessment

When a user requests Docker validation, start by understanding the scope:

Identify What to Validate
- Single Dockerfile or multiple?
- Docker Compose file(s)?
- Entire project directory?
- Specific concerns or focus areas?
- Production vs development environment?
Understand Requirements
- Security compliance level needed?
- Multi-stage build requirement?
- Performance constraints?
- CI/CD integration needed?
- Automated validation script desired?
Check Available Tools
- Is Hadolint available? (Dockerfile linter)
- Is DCLint available? (Docker Compose linter)
- Is Docker CLI available?
- Should tools be installed as part of process?

Phase 2: Dockerfile Validation

Step 1: Locate Dockerfiles

Find all Dockerfiles in the project:

find . -type f \( -name "Dockerfile*" ! -name "*.md" \)

Step 2: Run Hadolint Validation

If Hadolint is available:

# Validate each Dockerfile
hadolint Dockerfile

# JSON output for programmatic analysis
hadolint --format json Dockerfile

# Set failure threshold
hadolint --failure-threshold error Dockerfile

If Hadolint is NOT available:

Perform manual validation using built-in checks (see Step 3)
Recommend Hadolint installation
Provide installation instructions

Step 3: Manual Dockerfile Validation

Check each Dockerfile for critical issues:

1. Base Image Best Practices

✅ Check: No :latest tags
✅ Check: Specific version pinned
✅ Check: Uses minimal base images (alpine/slim variants)
✅ Check: Trusted registry used

2. Multi-Stage Build Verification

# Count FROM statements (should be >= 2 for multi-stage)
FROM_COUNT=$(grep -c "^FROM " Dockerfile)

# Check for named stages
NAMED_STAGES=$(grep -c "^FROM .* AS " Dockerfile)

# Check for inter-stage copies
COPY_FROM=$(grep -c "COPY --from=" Dockerfile)

Analysis:

If FROM_COUNT >= 2: Multi-stage build detected ✅
If COPY_FROM == 0 and FROM_COUNT >= 2: Warning - artifacts may not be transferred
If FROM_COUNT == 1: Single-stage build - recommend multi-stage for optimization

3. Security Checks

✅ Check: USER directive present (non-root)
✅ Check: Last USER is not root
✅ Check: No secrets in Dockerfile
✅ Check: WORKDIR uses absolute paths
✅ Check: No unnecessary privileges

4. Layer Optimization

✅ Check: Combined RUN commands
✅ Check: Package manager cache cleaned
✅ Check: COPY before RUN for better caching
✅ Check: .dockerignore file exists

5. Best Practices

✅ Check: HEALTHCHECK defined
✅ Check: WORKDIR used (not cd)
✅ Check: COPY preferred over ADD
✅ Check: CMD/ENTRYPOINT uses JSON notation
✅ Check: Labels included (maintainer, version)

Step 4: Dockerfile Issue Classification

Classify findings by severity:

CRITICAL (Must Fix):

Running as root user
Using :latest tags
Secrets exposed in image
Invalid syntax

HIGH (Should Fix):

No multi-stage build when applicable
No HEALTHCHECK
Package versions not pinned
Security vulnerabilities

MEDIUM (Recommended):

Using ADD instead of COPY
Not cleaning package cache
Missing labels
Inefficient layer structure

LOW (Nice to Have):

Could use slimmer base image
Could combine more RUN commands
Could improve comments

Phase 3: Docker Compose Validation

Step 1: Locate Compose Files

Find all Docker Compose files:

find . -maxdepth 3 -type f \( -name "docker-compose*.yml" -o -name "docker-compose*.yaml" -o -name "compose*.yml" \)

Step 2: Check for Obsolete Version Field

CRITICAL CHECK: Modern Docker Compose (v2.27.0+) does NOT use version field

# Check for obsolete version field
if grep -q "^version:" docker-compose.yml; then
    echo "❌ ERROR: Found obsolete 'version' field"
    echo "Remove 'version:' line - it's obsolete in Compose v2.27.0+"
fi

Old (Deprecated):

version: '3.8'  # ❌ REMOVE THIS
services:
  web:
    image: nginx:latest

New (Modern):

# No version field!
services:
  web:
    image: nginx:1.24-alpine

Step 3: Built-in Docker Compose Validation

# Syntax validation
docker compose config --quiet

# Show resolved configuration
docker compose config

# Validate specific file
docker compose -f docker-compose.prod.yml config --quiet

Step 4: DCLint Validation (if available)

# Lint compose file
dclint docker-compose.yml

# Auto-fix issues
dclint --fix docker-compose.yml

# JSON output
dclint --format json docker-compose.yml

Step 5: Manual Compose Validation

1. Image Best Practices

✅ Check: No :latest tags
✅ Check: Specific versions specified
✅ Check: Images from trusted sources

2. Service Configuration

✅ Check: Restart policies defined
✅ Check: Health checks configured
✅ Check: Resource limits set (optional but recommended)
✅ Check: Proper service dependencies (depends_on)

3. Networking

✅ Check: Custom networks defined
✅ Check: Network isolation implemented
✅ Check: Appropriate network drivers used

4. Volumes & Persistence

✅ Check: Named volumes for persistence
✅ Check: Volume drivers specified
✅ Check: Bind mounts use absolute paths
✅ Check: No sensitive data in volumes

5. Environment & Secrets

✅ Check: Environment variables properly managed
✅ Check: No hardcoded secrets
✅ Check: .env file usage recommended
✅ Check: Secrets management configured

6. Security

✅ Check: No privileged mode (unless necessary)
✅ Check: Capabilities properly configured
✅ Check: User/group specified
✅ Check: Read-only root filesystem (where applicable)

Phase 4: Multi-Stage Build Deep Dive

When validating multi-stage builds, ensure:

1. Stage Structure

# Build stage
FROM node:20-bullseye AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build && npm run test

# Production stage
FROM node:20-alpine AS runtime
WORKDIR /app
COPY --from=builder /app/dist ./dist
USER node
CMD ["node", "dist/index.js"]

2. Validation Checklist

✅ At least 2 stages (build + runtime)
✅ All stages are named with AS keyword
✅ Artifacts copied between stages using COPY --from
✅ Final stage uses minimal base image
✅ Build tools NOT in final stage
✅ Only necessary files in final image
✅ Final stage runs as non-root user

3. Common Patterns to Check

Node.js Multi-Stage:

Build stage: Install all deps, build, test
Runtime stage: Production deps only, built artifacts

Python Multi-Stage:

Build stage: Compile dependencies, build wheels
Runtime stage: Install pre-built wheels, app only

Go Multi-Stage:

Build stage: Full Go toolchain, compile binary
Runtime stage: Scratch/distroless, binary only

Phase 5: Security Audit

Perform comprehensive security checks:

1. User & Permissions

# Check for USER directive
USER_COUNT=$(grep -c "^USER " Dockerfile)
LAST_USER=$(grep "^USER " Dockerfile | tail -1 | awk '{print $2}')

if [ "$USER_COUNT" -eq 0 ]; then
    echo "❌ CRITICAL: No USER specified (runs as root!)"
elif [ "$LAST_USER" == "root" ] || [ "$LAST_USER" == "0" ]; then
    echo "❌ CRITICAL: Final USER is root"
fi

2. Exposed Secrets

Check for passwords in ENV
Check for API keys in COPY/ADD
Check for credentials in RUN commands
Recommend secrets management solutions

3. Vulnerable Base Images

Check base image age and support status
Recommend security scanning (Trivy, Snyk)
Suggest pinned, supported versions

4. Network Exposure

Review EXPOSE directives
Check if unnecessary ports exposed
Validate port mappings in Compose

Phase 6: Generate Validation Report

Structure the validation report:

# Docker Configuration Validation Report

## Executive Summary
- **Total Dockerfiles Analyzed**: X
- **Total Compose Files Analyzed**: X
- **Critical Issues**: X
- **High Priority Issues**: X
- **Medium Priority Issues**: X
- **Low Priority Issues**: X
- **Overall Status**: ✅ PASS / ⚠️ WARNINGS / ❌ FAIL

## Dockerfile Analysis

### [Dockerfile Path]

#### Validation Results
✅ **PASSED**: Multi-stage build implemented
✅ **PASSED**: Running as non-root user
⚠️  **WARNING**: Using ADD instead of COPY (line 15)
❌ **FAILED**: Base image uses :latest tag (line 1)

#### Security Assessment
- **User**: nodejs (non-root) ✅
- **Base Image**: node:latest ❌
- **Secrets**: None detected ✅
- **Health Check**: Present ✅

#### Multi-Stage Build Analysis
- **Stages**: 2 (builder, runtime)
- **Named Stages**: Yes ✅
- **Inter-Stage Copies**: 1 ✅
- **Final Base**: node:20-alpine ✅
- **Build Tools in Final**: No ✅

#### Issues Found

**CRITICAL:**
1. Line 1: Using :latest tag
   - Issue: `FROM node:latest`
   - Fix: `FROM node:20-bullseye`
   - Impact: Unpredictable builds, security risk

**HIGH:**
2. Line 45: Package cache not cleaned
   - Issue: `RUN apt-get install -y curl`
   - Fix: Add `&& rm -rf /var/lib/apt/lists/*`
   - Impact: Larger image size

**MEDIUM:**
3. Line 15: Using ADD instead of COPY
   - Issue: `ADD app.tar.gz /app/`
   - Fix: `COPY app.tar.gz /app/` (or extract separately)
   - Impact: Less explicit behavior

## Docker Compose Analysis

### [Compose File Path]

#### Validation Results
❌ **FAILED**: Obsolete 'version' field present
⚠️  **WARNING**: 3 services using :latest tags
✅ **PASSED**: Custom networks defined
✅ **PASSED**: Named volumes configured

#### Modern Syntax Compliance
- **Version Field**: Present ❌ (MUST REMOVE)
- **Specific Tags**: 2 of 5 services ⚠️
- **Restart Policies**: All services ✅
- **Health Checks**: 3 of 5 services ⚠️

#### Issues Found

**CRITICAL:**
1. Obsolete 'version' field
   - Issue: `version: '3.8'`
   - Fix: Remove the entire line
   - Impact: Using deprecated syntax

**HIGH:**
2. Service 'web' uses :latest tag
   - Issue: `image: nginx:latest`
   - Fix: `image: nginx:1.24-alpine`
   - Impact: Unpredictable deployments

3. No restart policy on 'cache' service
   - Issue: Missing `restart:` directive
   - Fix: Add `restart: unless-stopped`
   - Impact: Service won't auto-recover

## Recommendations

### Immediate Actions (Critical)
1. Pin all Docker image versions (remove :latest)
2. Remove obsolete 'version' field from Compose files
3. Ensure all services run as non-root users
4. Clean package manager caches in all Dockerfiles

### High Priority (Before Production)
1. Implement health checks for all services
2. Add restart policies to all Compose services
3. Set up resource limits (memory, CPU)
4. Implement proper secrets management

### Medium Priority (Best Practices)
1. Use COPY instead of ADD unless extracting archives
2. Add labels for better organization
3. Implement logging drivers
4. Add metadata to images

### Low Priority (Optimizations)
1. Consider slimmer base images where possible
2. Optimize layer caching with better ordering
3. Add comprehensive comments
4. Implement .dockerignore files

## Next Steps

1. **Fix Critical Issues** (Estimated: 30 minutes)
   - Pin image versions
   - Remove version field from Compose
   - Add USER directives

2. **Address High Priority** (Estimated: 1-2 hours)
   - Add health checks
   - Configure restart policies
   - Set resource limits

3. **Re-validate** (Estimated: 10 minutes)
   - Run validation again after fixes
   - Ensure all critical issues resolved

4. **Set Up Automation** (Estimated: 1 hour)
   - Add pre-commit hooks
   - Integrate into CI/CD
   - Schedule regular security scans

## Validation Tools Recommendations

### Install Required Tools
```bash
# Hadolint (Dockerfile linter)
brew install hadolint  # macOS
# or
wget -O /usr/local/bin/hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64

# DCLint (Docker Compose linter)
npm install -g docker-compose-linter

# Trivy (Security scanner)
brew install aquasecurity/trivy/trivy

Automated Validation Script

[Provide custom validation script based on project needs]

CI/CD Integration

[Provide GitHub Actions / GitLab CI configuration]

## Deliverables

At the end of validation, provide:

1. **Comprehensive Validation Report**
   - Executive summary with overall status
   - Detailed findings per file
   - Issue classification (Critical → Low)
   - Specific fixes for each issue
   - Recommendations prioritized

2. **Fixed Configuration Files** (if requested)
   - Corrected Dockerfiles
   - Updated Compose files
   - .hadolint.yaml configuration
   - .dclintrc.json configuration

3. **Validation Script** (if requested)
   - Custom bash script for automated validation
   - Checks for project-specific requirements
   - Color-coded output
   - Exit codes for CI/CD

4. **CI/CD Integration** (if requested)
   - GitHub Actions workflow
   - GitLab CI configuration
   - Pre-commit hooks
   - Integration with existing pipeline

5. **Documentation**
   - How to run validation locally
   - Tool installation instructions
   - Best practices guide
   - Common issues and solutions

## Validation Script Template

When user requests automated validation, create this script:

```bash
#!/bin/bash
# docker-validation.sh

set -e

# Color codes
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

ERRORS=0
WARNINGS=0

echo -e "${BLUE}╔══════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║   Docker Configuration Validator        ║${NC}"
echo -e "${BLUE}╚══════════════════════════════════════════╝${NC}"

# 1. Prerequisites check
echo -e "\n${BLUE}━━━ Checking Prerequisites ━━━${NC}"
command -v docker >/dev/null || { echo "❌ Docker not found"; exit 1; }
command -v hadolint >/dev/null || echo "⚠️  Hadolint not installed"

# 2. Dockerfile validation
echo -e "\n${BLUE}━━━ Validating Dockerfiles ━━━${NC}"
find . -name "Dockerfile*" -type f | while read df; do
    echo "Checking: $df"
    # [Validation logic here]
done

# 3. Multi-stage build check
echo -e "\n${BLUE}━━━ Checking Multi-Stage Builds ━━━${NC}"
# [Multi-stage validation logic]

# 4. Compose validation
echo -e "\n${BLUE}━━━ Validating Docker Compose ━━━${NC}"
find . -name "*compose*.yml" | while read cf; do
    # Check for obsolete version field
    if grep -q "^version:" "$cf"; then
        echo -e "${RED}❌ $cf: Obsolete version field${NC}"
        ERRORS=$((ERRORS + 1))
    fi

    # Validate syntax
    docker compose -f "$cf" config --quiet || ERRORS=$((ERRORS + 1))
done

# 5. Security checks
echo -e "\n${BLUE}━━━ Security Audit ━━━${NC}"
# [Security validation logic]

# Final report
echo -e "\n${BLUE}╔══════════════════════════════════════════╗${NC}"
echo -e "${BLUE}║         Validation Summary               ║${NC}"
echo -e "${BLUE}╚══════════════════════════════════════════╝${NC}"

if [ $ERRORS -eq 0 ]; then
    echo -e "${GREEN}✅ All checks passed!${NC}"
    exit 0
else
    echo -e "${RED}❌ Found $ERRORS error(s), $WARNINGS warning(s)${NC}"
    exit 1
fi

CI/CD Integration Templates

GitHub Actions

name: Docker Validation

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  validate:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - name: Lint Dockerfiles
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: ./Dockerfile
          failure-threshold: error

      - name: Validate Compose files
        run: |
          for f in $(find . -name "*compose*.yml"); do
            docker compose -f "$f" config --quiet
          done

      - name: Check for obsolete version field
        run: |
          if grep -r "^version:" . --include="*compose*.yml"; then
            echo "ERROR: Found obsolete version field"
            exit 1
          fi

GitLab CI

stages:
  - validate

docker-validation:
  stage: validate
  image: hadolint/hadolint:latest-debian
  script:
    - find . -name "Dockerfile*" -exec hadolint {} \;
    - |
      for f in $(find . -name "*compose*.yml"); do
        if grep -q "^version:" "$f"; then
          echo "ERROR: Obsolete version field in $f"
          exit 1
        fi
      done

Communication Style

When conducting validation:

Be Thorough
- Check all aspects systematically
- Don't skip manual checks if tools unavailable
- Validate both syntax and best practices
Prioritize Clearly
- Critical issues first (security, functionality)
- High priority next (production readiness)
- Medium and low as improvements
Provide Specific Fixes
- Show exact line numbers
- Provide before/after code
- Explain why the fix is needed
- Include impact assessment
Educate
- Explain Docker best practices
- Reference official documentation
- Provide learning resources
- Share modern syntax requirements
Be Actionable
- Give step-by-step remediation
- Provide automation scripts
- Suggest CI/CD integration
- Estimate effort for fixes

Common Validation Patterns

Pattern 1: Quick Syntax Check

Run Hadolint and DCLint
Check for obsolete version field
Validate with Docker Compose config
Report critical syntax errors only

Pattern 2: Full Production Audit

Complete Dockerfile validation
Multi-stage build verification
Security audit
Compose best practices
Generate comprehensive report
Provide automation scripts

Pattern 3: Security-Focused Review

User privilege checks
Secret exposure scan
Base image security
Network exposure audit
Security scanning integration

Pattern 4: Optimization Review

Multi-stage build effectiveness
Layer optimization
Image size analysis
Build time improvements
Caching strategies

Key Rules to Enforce

Dockerfile Rules (Critical)

✅ No :latest tags (DL3006)
✅ Last USER not root (DL3002)
✅ Use absolute WORKDIR (DL3000)
✅ Pin package versions (DL3008, DL3013)
✅ Clean package cache (DL3009)

Docker Compose Rules (Critical)

✅ NO version field (obsolete since v2.27.0)
✅ No :latest tags
✅ Restart policies defined
✅ Health checks configured
✅ Named volumes for persistence

Multi-Stage Build Rules

✅ Minimum 2 stages
✅ Named stages with AS
✅ COPY --from for artifacts
✅ Minimal final base image
✅ No build tools in final stage

Security Rules (Critical)

✅ Run as non-root USER
✅ No secrets in images
✅ Minimal base images
✅ Regular security scans
✅ Least privilege principle

Reference Resources

When providing recommendations, reference:

Docker Best Practices : Official Docker documentation
Hadolint Rules : Complete rule reference
Compose Specification : Latest Compose spec
Security Standards : CIS Docker Benchmark
Multi-Stage Builds : Official guide and examples

Remember: Docker validation is about ensuring reliable, secure, and efficient containerized applications. Always prioritize security and production readiness while maintaining developer experience.

Weekly Installs

–

Repository

rknall/claude-skills

GitHub Stars

First Seen

–

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Azure Data Explorer (Kusto) 查询技能：KQL数据分析、日志遥测与时间序列处理

114,200 周安装

Docker配置验证器 - 全面检查Dockerfile与Compose文件，确保安全与最佳实践

🇨🇳中文介绍

Docker 配置验证器

何时使用此技能

核心工作流程

阶段 1：初步评估

阶段 2：Dockerfile 验证

步骤 1：定位 Dockerfile

相关 Skills

步骤 2：运行 Hadolint 验证

步骤 3：手动 Dockerfile 验证

步骤 4：Dockerfile 问题分类

阶段 3：Docker Compose 验证

步骤 1：定位 Compose 文件

步骤 2：检查过时的版本字段

步骤 3：内置 Docker Compose 验证

步骤 4：DCLint 验证（如果可用）

步骤 5：手动 Compose 验证

阶段 4：多阶段构建深入分析

阶段 5：安全审计

阶段 6：生成验证报告

自动化验证脚本

CI/CD 集成

CI/CD 集成模板

GitHub Actions

GitLab CI

沟通风格

常见验证模式

模式 1：快速语法检查

模式 2：完整生产审计

模式 3：安全重点审查

模式 4：优化审查

要强制执行的关键规则

Dockerfile 规则（严重）

Docker Compose 规则（严重）

多阶段构建规则

安全规则（严重）

参考资源

🇺🇸English

Docker Configuration Validator

When to Use This Skill

Core Workflow

Phase 1: Initial Assessment

Phase 2: Dockerfile Validation

Step 1: Locate Dockerfiles

Step 2: Run Hadolint Validation

Step 3: Manual Dockerfile Validation

Step 4: Dockerfile Issue Classification

Phase 3: Docker Compose Validation

Step 1: Locate Compose Files

Step 2: Check for Obsolete Version Field

Step 3: Built-in Docker Compose Validation

Step 4: DCLint Validation (if available)

Step 5: Manual Compose Validation

Phase 4: Multi-Stage Build Deep Dive

Phase 5: Security Audit

Phase 6: Generate Validation Report

Automated Validation Script

CI/CD Integration

CI/CD Integration Templates

GitHub Actions

GitLab CI

Communication Style

Common Validation Patterns

Pattern 1: Quick Syntax Check

Pattern 2: Full Production Audit

Pattern 3: Security-Focused Review

Pattern 4: Optimization Review

Key Rules to Enforce

Dockerfile Rules (Critical)

Docker Compose Rules (Critical)

Multi-Stage Build Rules

Security Rules (Critical)

Reference Resources

最新 Skills