Skip to content

LukasNiessen/docker-skill

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Docker Skill for Claude Code and Codex: DockerShark

DockerShark Logo

DockerShark is a failure-mode-first skill for Dockerfiles, BuildKit builds, container images, and image supply-chain work.

Fixes Hallucinations.

LLMs often produce Dockerfiles that work locally but fail production requirements. They leak secrets through build layers, run as root, use mutable base tags, copy huge contexts, skip SBOM/provenance, and confuse build-time and runtime dependencies.

DockerShark forces the agent to diagnose those failure modes before it writes or reviews image artifacts.

Very Token-Efficient.

The core SKILL.md is procedural and compact. Detailed guidance lives in focused reference files, loaded only when the diagnosed failure mode or detected runtime requires it.

Based on Container Security Best Practices.

DockerShark is grounded in Docker build guidance, BuildKit secret handling, CIS-style container hardening, OpenSSF/SLSA supply-chain principles, and OCI image practices. It is not affiliated with Docker, Inc.

Quick Start

Clone this repository and place it where your agent runtime discovers skills. For Codex repo-scoped use, copy or symlink the repository into .agents/skills/docker-skill.

mkdir -p .agents/skills
git clone https://github.com/LukasNiessen/docker-skill.git .agents/skills/docker-skill

Then ask naturally:

Review this Dockerfile for security, size, and reproducibility issues.

Or invoke explicitly:

$docker-skill Create a production Dockerfile for this FastAPI app.

Why DockerShark?

Dimension DockerShark Generic Docker prompt
Diagnoses before generating Yes Usually no
Secret layer guidance Explicit Often missed
Runtime hardening Required review dimension Often omitted
Build context/cache risk First-class failure mode Rarely considered
Language-specific CRR Node, Python, Go, Java, .NET Usually generic
Supply-chain controls SBOM, signing, scanning, provenance Often superficial
Output contract Assumptions, tradeoffs, validation, rollback No consistent contract

Token Strategy

  • Keep SKILL.md small and procedural.
  • Move detailed patterns into focused references.
  • Load primary references by diagnosed failure mode.
  • Load conditional references only when language, image family, BuildKit, Compose, or registry signals appear.
  • Exclude generic Docker tutorials unless they prevent a concrete failure mode.

Conditional Reference Retrieval

DockerShark uses conditional reference retrieval for language/runtime and tooling specifics:

  • Node.js, Python, Go, Java/JVM, .NET
  • Alpine, Debian/Ubuntu slim, distroless, scratch
  • BuildKit/buildx, Docker Compose, registries

A plain Dockerfile review does not load every language and registry guide.

What's Included

  • A compact failure-mode workflow in SKILL.md
  • Seven primary image failure-mode references
  • Language and tool-specific conditional references
  • Good, bad, and neutral pattern banks
  • Validation and scanning guidance
  • Runtime hardening and multi-stage build patterns
  • UI metadata in agents/openai.yaml

Repository Layout

File Purpose
SKILL.md Operational workflow for DockerShark
agents/openai.yaml Codex app metadata
references/secret-layer-leakage.md Secret handling and layer leakage
references/insecure-runtime-defaults.md Root/runtime defaults and container hardening
references/base-image-drift.md Base image trust, mutability, patch cadence
references/bloated-fragile-images.md Image size, multi-stage builds, runtime minimization
references/build-context-cache-risk.md .dockerignore, cache safety, context hygiene
references/dependency-package-drift.md Lockfiles and deterministic installs
references/sbom-signing-provenance-gaps.md SBOM, signing, scanning, provenance
references/conditional/ Language, BuildKit, Compose, and registry references

How It Works

  1. Capture context: runtime, base image, builder, registry, target, security posture.
  2. Diagnose likely failure modes.
  3. Load only matching references.
  4. Propose changes with risk controls.
  5. Generate Dockerfile/build artifacts.
  6. Validate with build, inspect, scan, and smoke-test steps.
  7. Return assumptions, tradeoffs, tests, and rollback notes.

Scope

DockerShark covers:

  • Dockerfiles and .dockerignore
  • BuildKit/buildx image builds
  • Docker Compose build concerns
  • container image hardening and size reduction
  • SBOM, signing, scanning, digest promotion
  • registry push/pull/auth/retention concerns

DockerShark does not replace a full CI/CD skill for pipeline-wide release governance.

FAQ

Does this only support Docker?

It focuses on Dockerfile-compatible container image workflows and OCI image concerns. Podman/buildah users can still reuse much of the guidance, but Docker/BuildKit are the default vocabulary.

Does it always require distroless?

No. Distroless is one option. DockerShark treats Alpine, Debian/Ubuntu slim, distroless, scratch, and vendor images as context-dependent choices.

Will it generate production-ready Dockerfiles?

It will generate safer Dockerfiles and validation steps. Production readiness still depends on build context, app behavior, registry controls, and deployment environment.

Contributing

Contributions should reduce a named failure mode, improve conditional routing, or add concise validation patterns. Keep the skill lean.

License

MIT

About

No description, website, or topics provided.

Resources

License

Contributing

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors