Container Security Checker

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Best use case

Container Security Checker is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Teams using Container Security Checker should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-container-validator/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/security-container-validator/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-container-validator/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Container Security Checker Compares

Feature / AgentContainer Security CheckerStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

**Trigger conditions:**
- Container security audit before production deployment
- Kubernetes cluster security review
- CIS Benchmark compliance requirement
- Post-incident container security assessment
- Third-party container security questionnaire

**Not for:**
- Image vulnerability scanning (use dedicated SBOM/CVE scanning tools)
- Runtime threat detection (use container runtime security tools)
- Application security (use security-appsec-validator)
- Cloud infrastructure security (use security-cloud-analyzer)

---

## Pre-Checks

**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates

**Input validation:**
- `platform` must be one of: [docker, kubernetes, both]
- `check_scope` must be one of: [images, runtime, rbac, network, all]
- If `platform` includes kubernetes, `cluster_identifier` should be provided

**Source freshness:**
- CIS Docker Benchmark (accessed 2025-10-26T01:33:55-04:00): https://www.cisecurity.org/benchmark/docker
- CIS Kubernetes Benchmark v1.8+ (accessed 2025-10-26T01:33:55-04:00): https://www.cisecurity.org/benchmark/kubernetes
- Pod Security Standards (accessed 2025-10-26T01:33:55-04:00): https://kubernetes.io/docs/concepts/security/pod-security-standards/

---

## Procedure

### Step 1: Critical Container Security Controls

**Docker/Container Images:**
1. Container images from trusted registries (verified signatures)
2. Non-root user execution (USER directive in Dockerfile)
3. No secrets in environment variables or image layers
4. Resource limits defined (memory, CPU)

**Kubernetes Pod Security:**
1. Pod Security Standards enforcement (Baseline or Restricted level)
2. Non-privileged containers (securityContext.privileged: false)
3. Read-only root filesystem where possible
4. No host namespace sharing (hostNetwork, hostPID, hostIPC: false)

**Kubernetes RBAC:**
1. Role bindings follow least privilege principle
2. No wildcard permissions in Roles/ClusterRoles
3. Service accounts scoped to namespaces
4. Minimal ClusterRole bindings

**Kubernetes Network Security:**
1. Network policies defined for namespace isolation
2. Ingress and egress rules explicit (no default allow-all)
3. Service mesh security (if applicable)

### Step 2: Generate CIS-Aligned Remediation

For each finding, provide:
- CIS Benchmark control reference
- Kubernetes YAML manifest fixes or Dockerfile changes
- Platform-specific commands (kubectl, docker)

**Token budgets:**
- **T1:** ≤2k tokens (critical findings)
- **T2:** ≤6k tokens (full CIS coverage)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)

---

## Decision Rules

**Ambiguity thresholds:**
- If cluster access unavailable → request kubeconfig or architecture docs
- If Dockerfile unavailable → assess runtime configuration only

**Abort conditions:**
- No platform specified → cannot proceed
- Kubernetes platform selected but no cluster access → limited to manifest review

**Severity classification:**
- Critical: Privileged containers, host namespace sharing (CVSS 9.0-10.0)
- High: Weak RBAC, missing network policies (CVSS 7.0-8.9)
- Medium: Resource limits missing, root user (CVSS 4.0-6.9)
- Low: Best practice deviations (CVSS 0.1-3.9)

---

## Output Contract

**Required fields:**
```json
{
  "platform": "docker|kubernetes|both",
  "cluster_identifier": "string or null",
  "check_scope": "images|runtime|rbac|network|all",
  "timestamp": "ISO-8601 with timezone",
  "findings": [
    {
      "id": "unique identifier",
      "check_type": "image|pod|rbac|network",
      "resource_type": "pod|deployment|role|networkpolicy|...",
      "resource_name": "resource identifier",
      "severity": "critical|high|medium|low",
      "cvss_score": 0.0,
      "title": "brief description",
      "description": "detailed finding",
      "cis_control": "CIS Docker 4.1 or CIS Kubernetes 5.2.3",
      "remediation": "specific fix steps",
      "remediation_manifest": "YAML or Dockerfile snippet"
    }
  ],
  "cis_compliance": {
    "benchmark": "CIS Docker v1.6.0 or CIS Kubernetes v1.8.0",
    "controls_assessed": ["list"],
    "controls_passed": ["list"],
    "controls_failed": ["list"]
  },
  "summary": {
    "total_findings": 0,
    "critical_count": 0,
    "high_count": 0,
    "overall_risk": "critical|high|medium|low"
  }
}
```

---

## Examples

**Example: Kubernetes Pod Security Check**

```yaml
# Input
platform: "kubernetes"
cluster_identifier: "prod-cluster-us-east"
check_scope: "runtime"

# Output (abbreviated)
{
  "platform": "kubernetes",
  "findings": [
    {
      "id": "CONTAINER-001",
      "check_type": "pod",
      "resource_name": "web-app-deployment",
      "severity": "high",
      "cvss_score": 7.5,
      "title": "Privileged container detected",
      "cis_control": "CIS Kubernetes 5.2.1",
      "remediation_manifest": "securityContext:\\n  privileged: false"
    }
  ],
  "summary": {"high_count": 1, "overall_risk": "high"}
}
```

---

## Quality Gates

**Token budgets:**
- T1 ≤2k tokens (critical findings only)
- T2 ≤6k tokens (full CIS Benchmark coverage)

**Safety:**
- No secrets in remediation manifests
- No actual cluster credentials

**Auditability:**
- Findings cite CIS Benchmark controls
- CVSS scores follow CVSSv3.1 methodology

**Determinism:**
- Same cluster state + inputs = consistent findings

---

## Resources

**CIS Benchmarks:**
- CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker (accessed 2025-10-26T01:33:55-04:00)
- CIS Kubernetes Benchmark: https://www.cisecurity.org/benchmark/kubernetes (accessed 2025-10-26T01:33:55-04:00)

**Kubernetes Security:**
- Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/ (accessed 2025-10-26T01:33:55-04:00)
- Kubernetes Security Best Practices: https://kubernetes.io/docs/concepts/security/ (accessed 2025-10-26T01:33:55-04:00)
- RBAC Documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ (accessed 2025-10-26T01:33:55-04:00)

**Container Security:**
- Docker Security Best Practices: https://docs.docker.com/engine/security/ (accessed 2025-10-26T01:33:55-04:00)
- Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/ (accessed 2025-10-26T01:33:55-04:00)

Related Skills

Software Supply Chain Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.

Operating System Security Hardening Checker

5
from williamzujkowski/cognitive-toolworks

Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.

Network Security Architecture Validator

5
from williamzujkowski/cognitive-toolworks

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

IAM Security Reviewer

5
from williamzujkowski/cognitive-toolworks

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Cryptographic Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Cloud Security Posture Analyzer

5
from williamzujkowski/cognitive-toolworks

Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.

Security Assessment Orchestrator

5
from williamzujkowski/cognitive-toolworks

Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.

Application Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

Container Image Optimizer

5
from williamzujkowski/cognitive-toolworks

Create optimized Dockerfiles with multi-stage builds, security hardening, and vulnerability scanning for minimal, secure container images.

UX Wireframe Designer

5
from williamzujkowski/cognitive-toolworks

Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation

TypeScript Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate TypeScript/JavaScript project scaffolding with npm/pnpm/yarn, Jest/Vitest, ESLint/Prettier, and bundling (Vite/Rollup/esbuild).

Python Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Python project scaffolding with Poetry/pipenv, pytest configuration, type hints (mypy), linting (ruff/black), and packaging (setuptools/flit).