Stats
Actions
Tags
Review and harden a Dokku host and its apps for DevSecOps. Use when auditing SSH deploy keys, restricting container privileges via docker-options, ensuring apps are only exposed through the proxy, reviewing the event/audit log, managing private registry auth, checking TLS and secret hygiene, or cleaning up dangling images to reduce attack surface. Audit is read-only; hardening changes are confirmed first. Targets Dokku 0.37.x.
How this skill is triggered — by the user, by Claude, or both
Slash command
/dokku-devsecops-skills:dokku-security-hardeningThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
**Version:** Dokku 0.37.x. **Safety:** the audit commands below are read-only. Every hardening change (`ssh-keys:add/remove`, `docker-options:add/remove`, `ports:*`, `cleanup`, `registry:login`) can break deploys or running apps — **review on staging and confirm with the operator before applying**. Items beyond documented Dokku behavior are labelled **(recommendation)**.
Version: Dokku 0.37.x. Safety: the audit commands below are read-only. Every hardening change (ssh-keys:add/remove, docker-options:add/remove, ports:*, cleanup, registry:login) can break deploys or running apps — review on staging and confirm with the operator before applying. Items beyond documented Dokku behavior are labelled (recommendation).
dokku ssh-keys:list # read-only: every authorized deploy key
dokku ssh-keys:list --format json
dokku ssh-keys:add <name> /path/to/key # add a named key (confirm)
dokku ssh-keys:remove <name> # revoke (confirm)
(recommendation) One named key per person/CI system; remove keys for departed users/decommissioned pipelines. Treat this list as your deploy-access ACL.
docker-options)dokku docker-options:report <app> # read-only: current run/build/deploy flags
dokku docker-options:add <app> deploy,run "--security-opt=no-new-privileges"
dokku docker-options:add <app> deploy,run "--cap-drop=ALL"
dokku docker-options:add <app> deploy,run "--read-only"
dokku docker-options:remove <app> <phase(s)> "<flag>"
(recommendation) For internet-facing apps, drop all Linux capabilities, set no-new-privileges, and consider a read-only root filesystem (mount writable paths via the storage plugin). Test each flag on staging — --read-only and --cap-drop=ALL break apps that write to disk or need specific capabilities.
dokku ports:report <app> # read-only
(recommendation) Serve apps only through the proxy (http:80/https:443 → container port). Avoid ports:add of arbitrary host ports unless a non-HTTP service genuinely needs it; each extra host port is attack surface. Sweep the fleet and question any non-80/443 host port.
dokku-tls-letsencrypt); redirect HTTP→HTTPS at the proxy or via the redirect plugin.dokku-config-secrets): dokku config:keys <app>.config:set.dokku registry:report <app> # read-only
dokku registry:login --password-stdin --global <server> <user> # creds via stdin, not argv
(recommendation) Pass credentials via --password-stdin so they don't land in shell history or the process list.
dokku events:list # read-only: history of dokku commands
(recommendation) Keep events enabled and ship the audit trail off-host (see dokku-logs-events-trace). Ensure dokku trace:off in production — trace output can leak secrets.
dokku cleanup # remove exited containers + dangling images (confirm)
npx claudepluginhub shooding/dokku-devsecops-skills --plugin dokku-devsecops-skillsProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.