Scans Docker images for security vulnerabilities, outdated packages, and misconfigurations. Use when checking image security, finding vulnerabilities, or hardening containers.
View on GitHubarmanzeroeight/fastagent-plugins
docker-toolkit
plugins/docker-toolkit/skills/image-security-scanner/SKILL.md
January 21, 2026
Select agents to install to:
npx add-skill https://github.com/armanzeroeight/fastagent-plugins/blob/main/plugins/docker-toolkit/skills/image-security-scanner/SKILL.md -a claude-code --skill image-security-scannerInstallation paths:
.claude/skills/image-security-scanner/# Image Security Scanner Scan and secure Docker images for production deployment. ## Quick Start Scan an image: ```bash docker scan myapp:latest # or trivy image myapp:latest ``` ## Instructions ### Step 1: Choose Scanning Tool **Docker Scan** (built-in): ```bash docker scan myapp:latest ``` **Trivy** (comprehensive): ```bash trivy image myapp:latest ``` **Grype** (fast): ```bash grype myapp:latest ``` **Snyk** (detailed): ```bash snyk container test myapp:latest ``` ### Step 2: Run Security Scan **Basic scan**: ```bash docker scan myapp:latest ``` **Detailed scan with Trivy**: ```bash trivy image --severity HIGH,CRITICAL myapp:latest ``` **Scan with JSON output**: ```bash trivy image -f json -o results.json myapp:latest ``` ### Step 3: Analyze Results Review findings by severity: - **CRITICAL**: Immediate action required - **HIGH**: Fix soon - **MEDIUM**: Plan to fix - **LOW**: Monitor **Common vulnerabilities**: - Outdated base image - Vulnerable packages - Known CVEs - Misconfigurations ### Step 4: Fix Vulnerabilities **Update base image**: ```dockerfile # Before FROM node:18-alpine3.17 # After FROM node:18-alpine3.18 ``` **Update packages**: ```dockerfile RUN apk upgrade --no-cache # or RUN apt-get update && apt-get upgrade -y ``` **Remove vulnerable packages**: ```dockerfile RUN apk del vulnerable-package ``` **Use distroless for minimal attack surface**: ```dockerfile FROM gcr.io/distroless/nodejs18-debian11 ``` ### Step 5: Implement Security Best Practices **Run as non-root**: ```dockerfile USER nobody # or RUN adduser -D appuser USER appuser ``` **Remove unnecessary tools**: ```dockerfile RUN apk del apk-tools ``` **Use read-only filesystem**: ```dockerfile # In docker-compose or k8s read_only: true ``` **Add security labels**: ```dockerfile LABEL security.scan-date="2024-01-15" LABEL security.scanner="trivy" ``` ### Step 6: Verify Fixes Re-scan after fixes: ```bash docker build -t myapp:latest . trivy image myapp:latest ``` Com