Back to Skills

container-security

verified

Container and Kubernetes security patterns including Docker hardening, image scanning, pod security standards, network policies, RBAC, secrets management, and runtime protection. Use when securing containerized applications, building secure images, or configuring Kubernetes security controls.

View on GitHub

Marketplace

melodic-software

melodic-software/claude-code-plugins

Plugin

security

Repository
Verified Org

melodic-software/claude-code-plugins
13stars

plugins/security/skills/container-security/SKILL.md

Last Verified

January 21, 2026

Install Skill

Select agents to install to:

Scope:
npx add-skill https://github.com/melodic-software/claude-code-plugins/blob/main/plugins/security/skills/container-security/SKILL.md -a claude-code --skill container-security

Installation paths:

Claude
.claude/skills/container-security/
Powered by add-skill CLI

Instructions

# Container Security

## Overview

This skill covers security best practices for containerized applications, including Docker image hardening, Kubernetes security configurations, image vulnerability scanning, and runtime protection.

**Keywords:** container security, Docker, Kubernetes, image scanning, Dockerfile, pod security, network policies, RBAC, container runtime, Trivy, Falco, gVisor, seccomp, AppArmor, distroless, rootless containers

## When to Use This Skill

- Building secure Docker images
- Configuring Kubernetes pod security
- Setting up container vulnerability scanning
- Implementing Kubernetes RBAC
- Configuring network policies
- Managing secrets in Kubernetes
- Setting up runtime security monitoring

## Container Security Layers

| Layer | Controls | Tools |
| --- | --- | --- |
| **Image** | Minimal base, vulnerability scanning, signing | Trivy, Cosign, Grype |
| **Build** | Multi-stage builds, non-root, no secrets | Docker, Buildah, Kaniko |
| **Registry** | Scanning, signing verification, access control | Harbor, ECR, ACR |
| **Runtime** | Seccomp, AppArmor, read-only root | gVisor, Kata, Falco |
| **Orchestration** | Pod security, RBAC, network policies | Kubernetes, OPA/Gatekeeper |
| **Secrets** | Encrypted at rest, external providers | Vault, Sealed Secrets, ESO |

## Secure Dockerfile Patterns

### Minimal Secure Dockerfile

```dockerfile
# Use specific version, not :latest
FROM node:20.10-alpine3.19 AS builder

# Create non-root user early
RUN addgroup -g 1001 -S appgroup && \
    adduser -u 1001 -S appuser -G appgroup

WORKDIR /app

# Copy dependency files first (layer caching)
COPY package*.json ./

# Install dependencies with security flags
RUN npm ci --only=production --ignore-scripts && \
    npm cache clean --force

# Copy application code
COPY --chown=appuser:appgroup . .

# Build if needed
RUN npm run build

# --- Production Stage ---
FROM node:20.10-alpine3.19 AS production

# Security: Don't run as root
RUN addgroup -g 1001 -S appg

Validation Details

Front Matter
Required Fields
Valid Name Format
Valid Description
Has Sections
Allowed Tools
Instruction Length:
13561 chars