secure-container-review

Claude Security Marketplace

A Claude Code plugin marketplace hosting security-focused plugins.

Layout

.
├── .claude-plugin/
│   └── marketplace.json        # Marketplace manifest
├── plugins/
│   └── secure-container-review/  # Plugin: Dockerfile security analysis
│       ├── .claude-plugin/
│       │   └── plugin.json
│       ├── skills/
│       │   └── secure-container-review/
│       │       ├── SKILL.md
│       │       └── references/
│       └── tests/
├── tests/                      # Schema validation tests (pytest)
├── Dockerfile                  # Chainguard-based test runner
├── Makefile
└── requirements.txt

Plugins

Name	Description
secure-container-review	Analyze Dockerfiles and recommend hardening per Chainguard best practices.

Security frameworks assessed and mapped

Plugins in this marketplace produce findings that cite specific control identifiers from established security frameworks, so downstream GRC, audit, and FedRAMP assessment teams can trace each finding back to their own catalogs without re-deriving the mapping. Each plugin's SKILL.md documents the exact per-rule mapping; the full reference text lives under plugins/<plugin>/skills/<skill>/references/.

The frameworks the marketplace's skills assess against:

Framework	What it is	How the skills use it
NIST Cybersecurity Framework 2.0	Outcome-oriented framework most boards and risk committees read. Released Feb 2024; introduces the new PR.PS (Platform Security) function.	Findings tagged with CSF subcategories — primarily under GV.SC (Supply Chain Risk Management), PR.AA (Identity / Access Control), PR.DS (Data Security), PR.PS (Platform Security), PR.IR (Infrastructure Resilience), ID.AM / ID.RA (Asset Management, Risk Assessment). For audiences still on CSF 1.1, PR.PS controls fall back to PR.IP-01, PR.IP-03, PR.DS-06.
NIST SP 800-190	The container-specific NIST publication. §4 covers image risks; §5 covers orchestrator and runtime risks.	Findings cite specific sections (§4.1 image vulnerabilities, §4.4 secrets, §4.5 untrusted images, §4.6 registry security). This is the standard most container-image findings map to.
NIST SP 800-53 Rev. 5	The prescriptive control catalog U.S. federal auditors map to.	Findings cite specific control IDs. The two controls that drive the largest number of findings are AC-6 (Least Privilege) and CM-7 (Least Functionality) — every form of "this doesn't belong in a production container" maps to one or both. Supply-chain findings cluster in the SR family (SR-3, SR-4, SR-5, SR-6, SR-9, SR-10, SR-11). Cryptographic findings cite SC-8/12/13/28. Secret findings cite IA-5.
NIST SSDF (SP 800-218)	Secure Software Development Framework.	Findings cite SSDF practices — primarily PO 1.1 (define security requirements), PW 1.2 (protect code from unauthorized access), PW 4.1 / PW 4.4 (reuse from approved sources, well-secured software), RV 1.1 (identify vulnerabilities).
CIS Docker Benchmark	Industry-standard image and runtime hardening benchmark from the Center for Internet Security.	Findings cite specific benchmark sections — image checks under section 4 (e.g., 4.1 USER, 4.5 unnecessary packages, 4.6 HEALTHCHECK, 4.10 no secrets in Dockerfiles); runtime checks under section 5 (5.4 privileged, 5.12 read-only rootfs, 5.25 no new privileges).
FedRAMP Vulnerability Scanning Requirements for Containers	FedRAMP-specific container scanning requirements.	Cited on supply-chain and image-source findings (Rules #10, #13) when in scope. Pairs with FedRAMP Moderate/High baselines.
FIPS 140-2 / FIPS 140-3	Cryptographic module validation standard.	Cited only when FIPS context is declared (config flag, LABEL compliance.fips="required", repo marker, or explicit prompt). Triggers Rule #14: require a FIPS-variant base, reject explicit disabling, warn that FIPS image ≠ FIPS application configuration.
DISA STIG	DoD Security Technical Implementation Guides.	Container Platform STIG and Kubernetes STIG cited where applicable; relevant for DoD SRG IL4/IL5 workloads.