AgentSkillsCN

auditing

依据安全、性能与生产就绪性检查清单,对Dockerfile和docker-compose.yml进行审计。并派遣dockerfile-reviewer代理展开深入分析。

SKILL.md
--- frontmatter
name: auditing
description: Audit Dockerfile and docker-compose.yml against security, performance, and production readiness checklist. Dispatches dockerfile-reviewer agent for detailed analysis.
allowed-tools:
  - Read
  - Glob
  - Grep
  - AskUserQuestion
  - Task

Audit Docker Configuration

Comprehensive audit of Dockerfile and docker-compose.yml against best practices.

Checks

Security

CheckPass Criteria
Non-root USERUSER directive present, not root
No secrets in ENV/ARGNo passwords, keys, tokens in ENV or ARG
Base image pinnedSpecific version tag, not :latest
No --privilegedcompose services don't use privileged mode
.dockerignore existsExcludes .env, .git, secrets
No ADD for remote URLsCOPY preferred over ADD

Performance

CheckPass Criteria
Multi-stage buildMultiple FROM statements
Deps before sourceCOPY lock files before source code
Cache mounts used--mount=type=cache for package managers
.dockerignore comprehensiveExcludes node_modules, pycache, .git, tests
Minimal base imagealpine, slim, or distroless variants
Package cache cleanedapt-get clean or rm -rf /var/lib/apt/lists in same RUN

Production Readiness

CheckPass Criteria
HEALTHCHECK definedHEALTHCHECK instruction in Dockerfile
Exec form CMDCMD uses JSON array, not shell form
PID 1 handlingApp is PID 1 or uses tini/dumb-init
Restart policyrestart: unless-stopped in compose
Resource limitsmem_limit/cpus set in compose
Logging to stdoutNo file-based logging in CMD

Compose Checks

CheckPass Criteria
Named networksCustom network, not default bridge
Health conditionsdepends_on uses condition: service_healthy
Named volumesNo anonymous volumes
No hardcoded secretsEnvironment uses variable references or env_file
Service orderingdepends_on with health checks

Workflow

1. Find Docker Files

text
Glob: Dockerfile, Dockerfile.*, docker-compose*.yml, docker-compose*.yaml, .dockerignore

2. Run Checks

For each file found, evaluate all relevant checks.

3. Dispatch Reviewer Agent

For detailed Dockerfile analysis, dispatch the dockerfile-reviewer agent:

text
Task: dockerfile-reviewer agent
Input: Dockerfile path and optional compose path
Output: Structured review with severity levels

4. Generate Report

Use the audit-report.md template. Fill in:

  • Security checks with pass/fail/partial indicators
  • Performance checks
  • Production readiness checks
  • Compose checks (if applicable)
  • Findings with file:line references
  • Recommendations by priority

5. Ask About Fixes

After presenting the report, ask via AskUserQuestion:

  • "Fix all issues" - Apply automatic fixes where possible
  • "Fix critical only" - Only security and production issues
  • "Report only" - No changes

Priority Classification

PriorityCriteria
HighSecurity: root user, secrets in image, no .dockerignore
MediumPerformance: no multi-stage, no cache mounts, large base image
LowProduction: missing HEALTHCHECK, shell form CMD, no resource limits