Stats
Actions
Tags
From ponytail-sec
Binary Dockerfile image-build hardening check. Use when reviewing Dockerfiles, container image builds, multi-stage builds, runtime users, pinned bases, or reproducible dependency installs. Minimal output only: OK or NOT_OK: RULE, RULE.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ponytail-sec:dockerfileThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Ask once before enforcing:
Ask once before enforcing:
Enforce dockerfile skill? (yes / no)
If no: stop.
If yes: inspect locally. Do not web-search by default. Web-search only if the user asks or the Dockerfile uses a platform feature whose semantics are unknown.
Return exactly one line:
OKNOT_OK: RULE, RULENo severity. No advisory text. No maybes. If a rule cannot be verified, it is not OK.
All rules are mandatory.
NON_ROOT — final image must set USER to a non-root user or numeric UID
that is not 0.MULTI_STAGE — production Dockerfile must use more than one FROM and copy
only the runtime result into the final stage.LEAN_FINAL — final stage must not install or retain package managers,
compilers, build tools, caches, or test tooling.PIN_BASE — every FROM must be pinned to a non-floating tag or digest; no
latest, no untagged images. Digest wins.REPRO_DEPS — dependency installation must use reproducible inputs: lockfile,
hash-pinned requirements, vendor directory, or equivalent. Raw manifest-only
installs are not OK.OK
NOT_OK: NON_ROOT, PIN_BASE, REPRO_DEPS
Provides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.
npx claudepluginhub andypitcher/ponytail-sec --plugin ponytail-sec