containerlint

Docker & container security anti-pattern analyzer -- detects Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure n...

copies: implexa run clawhub/containerlint

view source

installs

stars

karma

SkillRank score ↗

7.3/ 10

evaluated by implexa, claude-haiku-4-5 · 2026-05-26

containerlint scans dockerfiles and container configs for 90 security anti-patterns across 6 categories (dockerfile practices, security context, health checks, resource limits, networking, orchestration). outputs markdown reports with severity grades and remediation guidance. local-only, no telemetry.

structure

9.0

trigger phrases

9.0

procedure

8.0

edge cases

6.0

documentation

8.0

view original SKILL.md from clawhubclick to expand

---
name: ContainerLint
version: 1.0.0
description: "Docker & container security anti-pattern analyzer -- detects Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure networking, and orchestration anti-patterns"
homepage: https://containerlint.pages.dev
metadata:
  {
    "openclaw": {
      "emoji": "\ud83d\udc33",
      "primaryEnv": "CONTAINERLINT_LICENSE_KEY",
      "requires": {
        "bins": ["git", "bash", "python3", "jq"]
      },
      "configPaths": ["~/.openclaw/openclaw.json"],
      "install": [
        {
          "id": "lefthook",
          "kind": "brew",
          "formula": "lefthook",
          "bins": ["lefthook"],
          "label": "Install lefthook (git hooks manager)"
        }
      ],
      "os": ["darwin", "linux", "win32"]
    }
  }
user-invocable: true
disable-model-invocation: false
---

# ContainerLint -- Docker & Container Security Anti-Pattern Analyzer

ContainerLint scans codebases for Docker and container security anti-patterns, Dockerfile issues, missing health checks, resource limit gaps, privileged containers, insecure networking, and orchestration misconfigurations. It uses regex-based pattern matching against 90 container-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

## Commands

### Free Tier (No license required)

#### `containerlint scan [file|directory]`
One-shot container security scan of files or directories.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]
```

**What it does:**
1. Accepts a file path or directory (defaults to current directory)
2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
3. Runs 30 container security patterns against each file (free tier limit)
4. Calculates a container security score (0-100) per file and overall
5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
6. Outputs findings with: file, line number, check ID, severity, description, recommendation
7. Exit code 0 if score >= 70, exit code 1 if container security is poor
8. Free tier limited to first 30 patterns (DF + SC categories)

**Example usage scenarios:**
- "Scan my code for Dockerfile issues" -> runs `containerlint scan .`
- "Check this file for container anti-patterns" -> runs `containerlint scan docker-compose.yml`
- "Find privileged containers" -> runs `containerlint scan .`
- "Audit container security in my project" -> runs `containerlint scan .`
- "Check for missing health checks" -> runs `containerlint scan .`

### Pro Tier ($19/user/month -- requires CONTAINERLINT_LICENSE_KEY)

#### `containerlint scan --tier pro [file|directory]`
Extended scan with 60 patterns covering Dockerfile, security context, health checks, and resource management.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro
```

**What it does:**
1. Validates Pro+ license
2. Runs 60 container security patterns (DF, SC, HC, RS categories)
3. Detects missing health checks and readiness probes
4. Identifies resource limit gaps and unbounded containers
5. Full category breakdown reporting

#### `containerlint scan --format json [directory]`
Generate JSON output for CI/CD integration.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json
```

#### `containerlint scan --format html [directory]`
Generate HTML report for browser viewing.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html
```

#### `containerlint scan --category HC [directory]`
Filter scan to a specific check category (DF, SC, HC, RS, NW, OR).

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category HC
```

### Team Tier ($39/user/month -- requires CONTAINERLINT_LICENSE_KEY with team tier)

#### `containerlint scan --tier team [directory]`
Full scan with all 90 patterns across all 6 categories including networking and orchestration.

**How to execute:**
```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team
```

**What it does:**
1. Validates Team+ license
2. Runs all 90 patterns across 6 categories
3. Includes networking checks (host networking, exposed ports, insecure registries)
4. Includes orchestration checks (compose anti-patterns, missing restart policies)
5. Full category breakdown with per-file results

#### `containerlint scan --verbose [directory]`
Verbose output showing every matched line and pattern details.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose
```

#### `containerlint status`
Show license and configuration information.

```bash
bash "<SKILL_DIR>/scripts/dispatcher.sh" status
```

## Check Categories

ContainerLint detects 90 container security anti-patterns across 6 categories:

| Category | Code | Patterns | Description | Severity Range |
|----------|------|----------|-------------|----------------|
| **Dockerfile Best Practices** | DF | 15 | Missing USER directive, ADD instead of COPY, latest tag, missing .dockerignore patterns, multiple FROM without alias | medium -- high |
| **Security Context** | SC | 15 | Privileged mode, running as root, exposed secrets, capability escalation, no seccomp profile | high -- critical |
| **Health & Readiness** | HC | 15 | No HEALTHCHECK, missing readiness probes, no liveness checks, no startup probes | medium -- high |
| **Resource Management** | RS | 15 | No resource limits, no memory limits, no CPU limits, unbounded storage, no ephemeral storage limits | medium -- high |
| **Networking & Exposure** | NW | 15 | Exposing all ports, host networking, no network policy, publishing on 0.0.0.0, insecure registries | medium -- critical |
| **Orchestration & Compose** | OR | 15 | No restart policy, no replicas, hardcoded IPs in compose, no volume mounts for secrets, latest tag in compose | low -- high |

## Tier-Based Pattern Access

| Tier | Patterns | Categories |
|------|----------|------------|
| **Free** | 30 | DF, SC |
| **Pro** | 60 | DF, SC, HC, RS |
| **Team** | 90 | DF, SC, HC, RS, NW, OR |
| **Enterprise** | 90 | DF, SC, HC, RS, NW, OR + priority support |

## Scoring

ContainerLint uses a deductive scoring system starting at 100 (perfect):

| Severity | Point Deduction | Description |
|----------|-----------------|-------------|
| **Critical** | -25 per finding | Severe security vulnerability (privileged mode, exposed secrets) |
| **High** | -15 per finding | Significant security problem (running as root, no resource limits) |
| **Medium** | -8 per finding | Moderate concern (latest tag, missing health check) |
| **Low** | -3 per finding | Informational / best practice suggestion |

### Grading Scale

| Grade | Score Range | Meaning |
|-------|-------------|---------|
| **A** | 90-100 | Excellent container security |
| **B** | 80-89 | Good security with minor issues |
| **C** | 70-79 | Acceptable but needs improvement |
| **D** | 60-69 | Poor container security |
| **F** | Below 60 | Critical security problems |

- **Pass threshold:** 70 (Grade C or better)
- Exit code 0 = pass (score >= 70)
- Exit code 1 = fail (score < 70)

## Configuration

Users can configure ContainerLint in `~/.openclaw/openclaw.json`:

```json
{
  "skills": {
    "entries": {
      "containerlint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}
```

## Important Notes

- **Free tier** works immediately with no configuration
- **All scanning happens locally** -- no code is sent to external servers
- **License validation is offline** -- no phone-home or network calls
- Pattern matching only -- no AST parsing, no external dependencies beyond bash
- Supports scanning all file types in a single pass
- Git hooks use **lefthook** which must be installed (see install metadata above)
- Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
- Output formats: text (default), json, html

## Error Handling

- If lefthook is not installed and user tries hooks, prompt to install it
- If license key is invalid or expired, show clear message with link to https://containerlint.pages.dev/renew
- If a file is binary, skip it automatically with no warning
- If no scannable files found in target, report clean scan with info message
- If an invalid category is specified with --category, show available categories

## When to Use ContainerLint

The user might say things like:
- "Scan my code for Dockerfile issues"
- "Check my container security"
- "Find privileged containers"
- "Detect missing health checks"
- "Are there any hardcoded secrets in my Docker files?"
- "Check for missing resource limits"
- "Audit my container security practices"
- "Find insecure Docker configurations"
- "Check for missing network policies"
- "Scan for container anti-patterns"
- "Run a container security audit"
- "Generate a container security report"
- "Check if my containers have proper resource limits"
- "Find containers running as root"
- "Check my docker-compose for anti-patterns"

don't have the plugin yet? install it then click "run inline in claude" again.

added explicit intent, inputs with env var and config schema details, 7-step procedure with clear inputs/outputs per step, 5 decision points covering tier logic, license validation, category filtering, empty results, and file errors, detailed output contract with schema and file locations, and outcome signals that are testable and user-observable.

containerlint

Item: containerlint
Rating: 7.3
Author: Implexa

intent

containerlint scans codebases for docker and container security anti-patterns using regex-based pattern matching across 90 container-specific checks (dockerfile best practices, security context, health checks, resource limits, networking, orchestration). runs 100% locally with zero telemetry. use this when you need to audit dockerfile quality, detect privileged containers, find missing health checks, identify resource limit gaps, or validate docker-compose configurations before deploying to production.

inputs

required binaries:

git (v2.0+)
bash (v4.0+)
python3 (v3.6+)
jq (v1.6+)
lefthook (optional, only for git hook integration; install via brew install lefthook or included in skill metadata)

environment variables:

CONTAINERLINT_LICENSE_KEY (optional, required only for Pro and Team tier scans)
- free tier: works without license
- pro tier ($19/user/month): validate with this key
- team tier ($39/user/month): validate team license
- enterprise: contact support

configuration file:

location: ~/.openclaw/openclaw.json

schema:

{
  "skills": {
    "entries": {
      "containerlint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

all fields optional; defaults are permissive

external connections:

none. all pattern matching is local. license validation is offline (no network calls).

target input:

file path or directory path (defaults to current working directory)
supports: Dockerfile, docker-compose.yml, docker-compose.yaml, .yml/.yaml with container config, any text file

procedure

step 1: validate environment and tier

input: CONTAINERLINT_LICENSE_KEY env var (if scanning pro/team tier) output: tier determination (free/pro/team), license status (valid/invalid/expired)

check if CONTAINERLINT_LICENSE_KEY is set
if set, validate key format and expiry offline
if key invalid or expired, print error message with link to https://containerlint.pages.dev/renew and exit code 1
if no key, default to free tier (30 patterns, DF and SC categories only)
if valid key, determine tier level from key metadata and allow corresponding pattern access

step 2: discover scannable files

input: target path (file or directory) output: list of scannable files, file count

if target is file, add to scannable list if not binary
if target is directory, recursively find all files
skip directories: .git, node_modules, .env, vendor, dist, build, .next, pycache, .venv
skip binary files: .png, .jpg, .jpeg, .gif, .ico, .zip, .tar, .gz, .bin, .so, .o, .pyc, .class
skip minified js: *.min.js
collect remaining files
if no files found, report "no scannable files in target directory" and exit code 0 (clean scan)

step 3: apply ignore patterns and checks

input: discovered files, ignorePatterns and ignoreChecks from config output: final list of files to scan

read config from ~/.openclaw/openclaw.json if present
extract ignorePatterns array (glob-style paths to exclude)
extract ignoreChecks array (check IDs to skip globally)
filter discovered files against ignorePatterns using bash globbing
pass both filtered file list and ignoreChecks to pattern matching step

step 4: run pattern matching

input: filtered file list, tier (free/pro/team), category filter (optional), ignoreChecks list output: raw findings (file, line number, check ID, severity, description, recommendation)

load pattern definitions based on tier
- free tier: 30 patterns (DF: 15, SC: 15)
- pro tier: 60 patterns (DF: 15, SC: 15, HC: 15, RS: 15)
- team tier: 90 patterns (DF: 15, SC: 15, HC: 15, RS: 15, NW: 15, OR: 15)
if --category flag used, filter patterns to requested category only
for each file in filtered list: a. read file contents b. for each pattern in allowed set: i. skip if check ID in ignoreChecks ii. run regex match against file iii. capture line number(s) of match iv. record: file path, line number, check ID, severity, description, remediation text
return all findings in order (by file, then by line, then by check ID)

step 5: calculate security score

input: all findings, severity counts output: numeric score (0-100), grade (A-F), per-file scores

initialize score to 100
for each critical finding: deduct 25 points
for each high finding: deduct 15 points
for each medium finding: deduct 8 points
for each low finding: deduct 3 points
floor score at 0 (no negative scores)
calculate per-file score using same logic
assign grade: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
determine pass/fail: score >= 70 = pass (exit code 0), score < 70 = fail (exit code 1)

step 6: format output

input: findings, score, grade, format flag (text/json/html), verbose flag output: formatted report (text, json, or html)

text format (default):

containerLint Security Audit
=============================
Target: [path]
Tier: [free/pro/team]
Scan Date: [ISO 8601]

SCORE: [85] / 100 (Grade: B)

Findings: [12 total] [0 critical] [3 high] [6 medium] [3 low]

[file1.Dockerfile]
  Line 5: DF-001 [HIGH] Missing USER directive
  Remediation: Add 'USER appuser' before CMD
  
  Line 12: SC-003 [CRITICAL] Running as root
  Remediation: Create unprivileged user and set with USER directive

[file2.docker-compose.yml]
  Line 8: RS-002 [MEDIUM] No memory limit defined
  Remediation: Add 'mem_limit: 512m' to service config

=============================
Summary:
  Pass threshold: 70
  Your score: 85
  Status: PASS (exit code 0)

json format:

{
  "scan": {
    "target": "/path/to/target",
    "tier": "pro",
    "timestamp": "2024-01-15T10:30:00Z",
    "score": 85,
    "grade": "B",
    "pass": true,
    "findings": [
      {
        "file": "Dockerfile",
        "line": 5,
        "checkId": "DF-001",
        "severity": "high",
        "description": "Missing USER directive",
        "remediation": "Add 'USER appuser' before CMD"
      }
    ],
    "summary": {
      "total": 12,
      "critical": 0,
      "high": 3,
      "medium": 6,
      "low": 3
    }
  }
}

html format:

generate standalone html file with inline css
include clickable file links, severity color coding (red for critical, orange for high, yellow for medium, gray for low)
show score gauge, per-file summary table, detail findings with line numbers as anchors

if --verbose flag, include full pattern regex and matched line text in output
if --format json, output valid json to stdout
if --format html, write html to containerlint-report.html in current directory
default to text format to stdout

step 7: exit with appropriate code

input: pass/fail determination from step 5 output: exit code (0 or 1)

if score >= 70, exit 0 (pass)
if score < 70, exit 1 (fail)

decision points

if tier is free:

allow only 30 patterns (DF and SC categories)
if user requests pro/team features with --tier pro or --tier team but no valid license, print error: "pro/team tier requires valid license key. set CONTAINERLINT_LICENSE_KEY and retry" and exit code 1

if license key is invalid or expired:

print error: "license key invalid or expired. renew at https://containerlint.pages.dev/renew"
exit code 1
fall back to free tier if key is absent (no error)

if category filter is used:

if category is invalid (not one of DF, SC, HC, RS, NW, OR), print available categories and exit code 1
if category is valid, run only patterns in that category (tier still limits access, e.g. pro tier cannot access NW or OR)

if target is empty directory (no scannable files):

report "no scannable files found in target"
return clean scan (score 100, grade A, zero findings)
exit code 0

if lefthook is requested for git hooks but not installed:

print message: "lefthook not found. install via 'brew install lefthook' or see https://containerlint.pages.dev/install"
do not fail the scan; only fail the hook installation step

if file is binary:

skip silently with no warning

if a specific file cannot be read (permission denied, etc.):

print warning: "skipped [filename]: permission denied"
continue scanning other files
do not fail the scan

if verbose mode is enabled:

include matched line text and full pattern regex in every finding detail
useful for debugging why a pattern matched

if ignoreChecks contains a check ID that does not exist:

silently ignore the invalid check ID (do not warn)
proceed with scan

output contract

required formats:

text format (default):
- stdout stream with human-readable report
- sections: header, score/grade, findings grouped by file, summary
- each finding shows: file path, line number, check ID, severity, description, remediation
- footer shows pass/fail status and exit code logic
json format:
- valid json (parseable by jq)
- schema: { scan: { target, tier, timestamp, score, grade, pass, findings: [], summary: {} } }
- all timestamps in iso 8601 format
- all severity values lowercase: critical, high, medium, low
html format:
- standalone file: containerlint-report.html written to current directory
- self-contained (inline css, no external assets)
- responsive design, readable on desktop and mobile
- severity color coding (red/orange/yellow/gray)
- clickable file links within report

file locations:

config read from: ~/.openclaw/openclaw.json (optional)
html report written to: containerlint-report.html (if --format html)
all other output to stdout

exit codes:

0: scan completed, score >= 70 (pass)
1: scan completed, score < 70 (fail) OR error (invalid license, bad input, etc.)

data invariants:

score is integer from 0-100
grade is single character: A, B, C, D, or F
check ID format: [DF|SC|HC|RS|NW|OR]-\d{3} (e.g. DF-001)
severity is one of: critical, high, medium, low
line numbers are positive integers (1-indexed)
all file paths are absolute or relative to cwd

outcome signal

the user knows the skill worked when:

text output appears immediately showing score, grade, findings grouped by file with line numbers
json is valid and parseable by jq (test: containerlint scan . --format json | jq .)
html report is generated at containerlint-report.html with clickable findings
exit code matches expectation: run containerlint scan . && echo "PASS" || echo "FAIL" and see PASS or FAIL printed
findings match reality: scan detects known anti-patterns (e.g. FROM ... as root triggers SC-003, missing HEALTHCHECK triggers HC-001)
per-file scores are visible and can be used to identify worst offenders
remediation text is actionable (e.g. "Add USER directive before CMD" is specific and copy-paste ready)
ignored patterns are respected: if config contains ignorePatterns, files matching those globs are not scanned
tier features work as advertised: free tier scans 30 patterns, pro adds 30 more, team adds final 30
license validation is fast (offline, no network lag)

containerlint

related skills

containerlint

intent

inputs

procedure

step 1: validate environment and tier

step 2: discover scannable files

step 3: apply ignore patterns and checks

step 4: run pattern matching

step 5: calculate security score

step 6: format output

step 7: exit with appropriate code

decision points

output contract

outcome signal