docker-security-knowledge
Docker security knowledge base for PHP. Provides hardening patterns, vulnerability scanning, secrets management, and OWASP container guidelines.
Best use case
docker-security-knowledge is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Docker security knowledge base for PHP. Provides hardening patterns, vulnerability scanning, secrets management, and OWASP container guidelines.
Teams using docker-security-knowledge should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/docker-security-knowledge/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How docker-security-knowledge Compares
| Feature / Agent | docker-security-knowledge | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Docker security knowledge base for PHP. Provides hardening patterns, vulnerability scanning, secrets management, and OWASP container guidelines.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Docker Security Knowledge Base
Quick reference for Docker security hardening patterns in PHP applications.
## Security Layers
```
+---------------------------------------------------------------------------+
| DOCKER SECURITY LAYERS |
+---------------------------------------------------------------------------+
| |
| Layer 1: Build Security |
| +--------------------------------------------------------------------+ |
| | Minimal base image | Pinned versions | No secrets in layers | |
| | Multi-stage builds | .dockerignore | Verified base images | |
| +--------------------------------------------------------------------+ |
| |
| Layer 2: Image Security |
| +--------------------------------------------------------------------+ |
| | Vulnerability scanning | SBOM generation | Signed images | |
| | No unnecessary packages | Read-only layers | Minimal attack surface | |
| +--------------------------------------------------------------------+ |
| |
| Layer 3: Runtime Security |
| +--------------------------------------------------------------------+ |
| | Non-root user | Read-only filesystem | Dropped capabilities | |
| | Resource limits | No privileged mode | Seccomp profiles | |
| +--------------------------------------------------------------------+ |
| |
| Layer 4: Network Security |
| +--------------------------------------------------------------------+ |
| | Network segmentation | Encrypted traffic | Internal DNS only | |
| | No host networking | Firewall rules | Service mesh (optional) | |
| +--------------------------------------------------------------------+ |
| |
| Layer 5: Secrets Management |
| +--------------------------------------------------------------------+ |
| | Docker secrets | Build secrets | External vault | |
| | No ENV for secrets | Encrypted at rest | Rotation policies | |
| +--------------------------------------------------------------------+ |
| |
+---------------------------------------------------------------------------+
```
## Non-Root User Patterns
### Alpine-based Image
```dockerfile
# syntax=docker/dockerfile:1
FROM php:8.4-fpm-alpine
# Create non-root user and group
RUN addgroup -g 1000 -S app && \
adduser -u 1000 -S app -G app -h /home/app -s /bin/sh
# Set working directory with correct ownership
WORKDIR /var/www/html
RUN chown -R app:app /var/www/html
# Switch to non-root user
USER app
```
### Debian-based Image
```dockerfile
FROM php:8.4-fpm
RUN groupadd -g 1000 app && \
useradd -u 1000 -g app -m -s /bin/bash app
WORKDIR /var/www/html
RUN chown -R app:app /var/www/html
USER app
```
## Secrets Management
### Build Secrets (BuildKit)
```dockerfile
# syntax=docker/dockerfile:1
FROM composer:2 AS deps
# Use build secret for private repository access
RUN --mount=type=secret,id=composer_auth,target=/root/.composer/auth.json \
composer install --no-dev --no-scripts --prefer-dist
FROM php:8.4-fpm-alpine AS production
COPY --from=deps /app/vendor /var/www/html/vendor
# Secret is NOT present in final image
```
```bash
# Build with secret
DOCKER_BUILDKIT=1 docker build \
--secret id=composer_auth,src=auth.json \
-t myapp:latest .
```
### Runtime Secrets (Docker Compose)
```yaml
services:
php:
image: myapp:latest
secrets:
- db_password
- app_key
secrets:
db_password:
file: ./secrets/db_password.txt
app_key:
file: ./secrets/app_key.txt
```
```php
<?php
// Read secret at runtime
function getSecret(string $name): string
{
$path = '/run/secrets/' . $name;
if (!file_exists($path)) {
throw new \RuntimeException("Secret not found: {$name}");
}
return trim(file_get_contents($path));
}
```
### Docker Swarm Secrets
```bash
# Create encrypted secret
echo "s3cur3p@ss" | docker secret create db_password -
# Use in service
docker service create \
--secret db_password \
--name php-app myapp:latest
```
## Image Scanning Tools
| Tool | Integration | License | Features |
|------|-------------|---------|----------|
| **Trivy** | CLI, CI, Kubernetes | Apache 2.0 | OS + app deps, IaC, SBOM |
| **Grype** | CLI, CI | Apache 2.0 | OS + app deps, fast |
| **Snyk** | CLI, CI, IDE | Commercial | Deep analysis, fix advice |
| **Docker Scout** | Docker Desktop, CLI | Commercial | Policy, SBOM, real-time |
### Quick Scan Commands
```bash
# Trivy - comprehensive scan
trivy image --severity HIGH,CRITICAL myapp:latest
# Grype - fast vulnerability scan
grype myapp:latest --fail-on high
# Docker Scout - built-in scanning
docker scout cves myapp:latest
docker scout recommendations myapp:latest
```
## Capability Management
```yaml
# docker-compose.yml
services:
php:
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE # Bind to ports < 1024 (if needed)
- CHOWN # Change file ownership (if needed)
security_opt:
- no-new-privileges:true
```
### Minimal Capabilities for PHP-FPM
| Capability | Required | Reason |
|------------|----------|--------|
| `CHOWN` | Sometimes | File ownership changes |
| `SETUID` | No | Drop if non-root |
| `SETGID` | No | Drop if non-root |
| `NET_BIND_SERVICE` | Rarely | Only for ports < 1024 |
| `SYS_PTRACE` | No | Debugging only |
| `ALL` | Drop | Always drop all first |
## Read-Only Filesystem
```yaml
services:
php:
read_only: true
tmpfs:
- /tmp:size=64M
- /var/run:size=1M
- /var/log:size=32M
volumes:
- php-sessions:/var/lib/php/sessions
```
## Network Policies
```yaml
services:
nginx:
networks:
- frontend
- backend
php:
networks:
- backend # No direct external access
postgres:
networks:
- backend # Database isolated
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true # No external access
```
## OWASP Docker Top 10
| # | Risk | Mitigation |
|---|------|------------|
| D01 | Secure user mapping | Run as non-root, USER directive |
| D02 | Patch management | Regular base image updates, scanning |
| D03 | Network segmentation | Internal networks, no host mode |
| D04 | Secure defaults | Drop capabilities, read-only FS |
| D05 | Content trust | Signed images, verified publishers |
| D06 | Vulnerability management | Automated scanning in CI/CD |
| D07 | Resource protection | CPU/memory limits, ulimits |
| D08 | Log management | Centralized logging, no sensitive data |
| D09 | Secret management | Docker secrets, external vaults |
| D10 | Integrity and authenticity | Image signing, content trust |
## Detection Patterns
```bash
# Find Dockerfiles with security issues
Grep: "FROM.*:latest" --glob "**/Dockerfile*"
Grep: "USER root" --glob "**/Dockerfile*"
Grep: "privileged.*true" --glob "**/docker-compose*.yml"
Grep: "ENV.*PASSWORD|ENV.*SECRET|ENV.*KEY" --glob "**/Dockerfile*"
Grep: "cap_add.*ALL|cap_add.*SYS_ADMIN" --glob "**/docker-compose*.yml"
# Check for proper security measures
Grep: "USER app|USER www-data|USER nobody" --glob "**/Dockerfile*"
Grep: "cap_drop.*ALL" --glob "**/docker-compose*.yml"
Grep: "read_only.*true" --glob "**/docker-compose*.yml"
Grep: "no-new-privileges" --glob "**/docker-compose*.yml"
```
## References
For detailed information, load these reference files:
- `references/security-checklist.md` -- Comprehensive security checklist with 50+ itemsRelated Skills
yii-knowledge
Yii framework knowledge base. Provides Yii3 modular architecture, DDD integration, PSR-7/PSR-15 compliance, persistence, DI, security (RBAC, auth), event system (PSR-14), queue/jobs, infrastructure components (cache, rate limiter, HTTP client), testing, and antipatterns for Yii PHP projects.
testing-knowledge
Testing knowledge base for PHP 8.4 projects. Provides testing pyramid, AAA pattern, naming conventions, isolation principles, DDD testing guidelines, and PHPUnit patterns.
task-progress-knowledge
TaskCreate pattern guidelines for progress tracking in coordinator agents
symfony-knowledge
Symfony framework knowledge base. Provides architecture, DDD integration, persistence, DI, security, messenger, workflow, events, infrastructure components, testing, and antipatterns for Symfony PHP projects.
stability-patterns-knowledge
Stability Patterns knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for Circuit Breaker, Retry, Rate Limiter, Bulkhead, and resilience audits.
solid-knowledge
SOLID principles knowledge base for PHP 8.4 projects. Provides quick reference for SRP, OCP, LSP, ISP, DIP with detection patterns, PHP examples, and antipattern identification. Use for architecture audits and code quality reviews.
scalability-knowledge
Scalability knowledge base. Provides vertical vs horizontal scaling, stateless design, session management, connection pooling, capacity planning, and PHP-FPM tuning for scalability audits.
saga-pattern-knowledge
Saga Pattern knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for saga orchestration, choreography, and distributed transaction audits.
replication-sharding-knowledge
Replication and Sharding knowledge base. Provides read/write splitting at application level, connection wrapper patterns, replica lag handling, and query routing for database scaling audits.
psr-coding-style-knowledge
PSR-1 and PSR-12 coding standards knowledge base for PHP 8.4 projects. Provides quick reference for basic coding standard and extended coding style with detection patterns, examples, and antipattern identification. Use for code style audits and compliance reviews.
psr-autoloading-knowledge
PSR-4 autoloading standard knowledge base for PHP 8.4 projects. Provides quick reference for namespace-to-path mapping, composer.json configuration, directory structure, and common mistakes. Use for autoloading audits and project structure reviews.
outbox-pattern-knowledge
Outbox Pattern knowledge base. Provides patterns, antipatterns, and PHP-specific guidelines for transactional outbox, polling publisher, and reliable messaging audits.