Back to Details

configure-container

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

/configure:container

/configure:container

Check and configure comprehensive container infrastructure against project standards with emphasis on minimal images, non-root users, and security hardening.
对照项目标准检查并配置全面的容器基础设施,重点关注最小镜像非root用户安全加固

When to Use This Skill

何时使用该技能

Use this skill when...Use another approach when...
Auditing container infrastructure compliance (Dockerfile, workflows, scanning)Writing a Dockerfile from scratch (
/configure:dockerfile
)
Checking multi-stage builds, non-root users, and security hardeningConfiguring Kubernetes deployments (
/configure:skaffold
)
Setting up container build workflows with GHCR and multi-platform supportRunning vulnerability scans on a built image (Trivy CLI directly)
Verifying 
.dockerignore
, OCI labels, and base image versions		Configuring devcontainer features for VS Code
Adding Trivy/Grype scanning to CI pipelinesDebugging container runtime issues (system-debugging agent)
适合使用本技能的场景...适合使用其他方法的场景...
审计容器基础设施合规性(Dockerfile、工作流、扫描)从头编写Dockerfile(
/configure:dockerfile
检查多阶段构建、非root用户和安全加固配置配置Kubernetes部署(
/configure:skaffold
搭建支持GHCR和多平台的容器构建工作流对已构建的镜像运行漏洞扫描(直接使用Trivy CLI)
验证
.dockerignore
、OCI标签和基础镜像版本		配置VS Code的Devcontainer功能
在CI流水线中添加Trivy/Grype扫描调试容器运行时问题(使用system-debugging agent)

Context

上下文

  • Dockerfiles: !
    find . -maxdepth 2 \( -name 'Dockerfile' -o -name 'Dockerfile.*' -o -name '*.Dockerfile' \) 2>/dev/null
  • Docker ignore: !
    find . -maxdepth 1 -name '.dockerignore' 2>/dev/null
  • Container workflows: !
    find .github/workflows -maxdepth 1 \( -name '*container*' -o -name '*docker*' -o -name '*build*' \) 2>/dev/null
  • Devcontainer: !
    find .devcontainer -maxdepth 1 -name 'devcontainer.json' 2>/dev/null
  • Skaffold: !
    find . -maxdepth 1 -name 'skaffold.yaml' 2>/dev/null
  • Package files: !
    find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) 2>/dev/null
  • Project standards: !
    find . -maxdepth 1 -name '.project-standards.yaml' 2>/dev/null
  • Dockerfiles: !
    find . -maxdepth 2 \( -name 'Dockerfile' -o -name 'Dockerfile.*' -o -name '*.Dockerfile' \) 2>/dev/null
  • Docker ignore: !
    find . -maxdepth 1 -name '.dockerignore' 2>/dev/null
  • Container workflows: !
    find .github/workflows -maxdepth 1 \( -name '*container*' -o -name '*docker*' -o -name '*build*' \) 2>/dev/null
  • Devcontainer: !
    find .devcontainer -maxdepth 1 -name 'devcontainer.json' 2>/dev/null
  • Skaffold: !
    find . -maxdepth 1 -name 'skaffold.yaml' 2>/dev/null
  • Package files: !
    find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) 2>/dev/null
  • Project standards: !
    find . -maxdepth 1 -name '.project-standards.yaml' 2>/dev/null

Parameters

参数

Parse from command arguments:
  • --check-only
    : Report compliance status without modifications (CI/CD mode)
  • --fix
    : Apply fixes automatically without prompting
  • --component <name>
    : Check specific component only (dockerfile, workflow, registry, scanning, devcontainer)
从命令参数中解析:
  • --check-only
    : 仅报告合规状态,不进行修改(CI/CD模式)
  • --fix
    : 自动应用修复,无需提示
  • --component <name>
    : 仅检查指定组件(dockerfile、workflow、registry、scanning、devcontainer)

Security Philosophy

安全理念

Minimal Attack Surface: Smaller images = fewer vulnerabilities. Use Alpine (~5MB) for Node.js, slim (~50MB) for Python.
Non-Root by Default: ALL containers MUST run as non-root users.
Multi-Stage Required: Separate build and runtime environments. Build tools and dev dependencies should NOT be in production images.
最小攻击面:镜像越小,漏洞越少。Node.js使用Alpine(约5MB),Python使用slim(约50MB)。
默认非root用户:所有容器必须以非root用户运行。
强制多阶段构建:分离构建和运行环境。构建工具和开发依赖不得出现在生产镜像中。

Execution

执行流程

Execute this container infrastructure compliance check:
执行容器基础设施合规性检查:

Step 1: Detect container-related files

步骤1:检测容器相关文件

Search for Dockerfile, workflow files, devcontainer config, and 
.dockerignore
. Detect the project type (frontend, python, go, rust, infrastructure) from package files.
搜索Dockerfile、工作流文件、Devcontainer配置和
.dockerignore
。从包文件中检测项目类型(前端、Python、Go、Rust、基础设施)。

Step 2: Look up latest base image versions

步骤2:查询最新基础镜像版本

Use WebSearch or WebFetch to verify current versions before flagging outdated images:
  1. Node.js Alpine images: Check Docker Hub for latest LTS Alpine tags
  2. Python slim images: Check Docker Hub for latest slim tags
  3. nginx Alpine: Check Docker Hub for latest Alpine tags
  4. GitHub Actions: Check release pages for latest action versions
  5. Trivy: Check aquasecurity/trivy-action releases
使用WebSearch或WebFetch验证当前版本,再标记过时镜像:
  1. Node.js Alpine镜像:在Docker Hub查看最新LTS Alpine标签
  2. Python slim镜像:在Docker Hub查看最新slim标签
  3. nginx Alpine:在Docker Hub查看最新Alpine标签
  4. GitHub Actions:在发布页面查看最新Action版本
  5. Trivy:查看aquasecurity/trivy-action的发布版本

Step 3: Analyze each component

步骤3:分析各组件

Check each component against standards:
Dockerfile Standards:
CheckStandardSeverity
ExistsRequired for containerized projectsFAIL if missing
Multi-stageRequired (build + runtime stages)FAIL if missing
HEALTHCHECKRequired for K8s probesFAIL if missing
Non-root userREQUIRED (not optional)FAIL if missing
.dockerignoreRequiredWARN if missing
.dockerignore 
Dockerfile*
Use glob to exclude all Dockerfile variants from contextWARN if only 
Dockerfile
Base image versionLatest stable (check Docker Hub)WARN if outdated
Minimal baseAlpine for Node, slim for PythonWARN if bloated
Base Image Standards (verify latest before reporting):
LanguageBuild ImageRuntime ImageSize Target
Node.js
node:24-alpine
(LTS)
nginx:1.27-alpine
< 50MB
Python
python:3.13-slim
python:3.13-slim
< 150MB
Go
golang:1.23-alpine
scratch
or 
alpine:3.21
< 20MB
Rust
rust:1.84-alpine
alpine:3.21
< 20MB
Security Hardening Standards:
CheckStandardSeverity
Non-root USERRequired (create dedicated user)FAIL if missing
Read-only FS
--read-only
or RO annotation		INFO if missing
No new privileges
--security-opt=no-new-privileges
INFO if missing
Drop capabilities
--cap-drop=all
+ explicit 
--cap-add
INFO if missing
No secrets in imageNo ENV with sensitive dataFAIL if found
Build Workflow Standards:
CheckStandardSeverity
Workflow existscontainer-build.yml or similarFAIL if missing
checkout actionv4+WARN if older
build-push-actionv6+WARN if older
Multi-platformlinux/amd64,linux/arm64WARN if missing
Build cachingGHA cache enabledWARN if missing
Security scanTrivy/Grype in workflowWARN if missing
id-token: write
Required when provenance/SBOM configuredWARN if missing
Cache scopeExplicit 
scope=
for multi-image builds		WARN if missing
Scanner pinnedTrivy/Grype action pinned by SHA (not 
@master
)		WARN if unpinned
Container Labels Standards (GHCR Integration):
CheckStandardSeverity
org.opencontainers.image.source
Required - Links to repositoryWARN if missing
org.opencontainers.image.description
Required - Package descriptionWARN if missing
org.opencontainers.image.licenses
Required - SPDX licenseWARN if missing
Run 
/configure:dockerfile
for detailed Dockerfile checks if needed.
对照标准检查每个组件:
Dockerfile标准:
检查项标准要求严重程度
文件存在容器化项目必须包含缺失则FAIL
多阶段构建必须包含(构建+运行阶段)缺失则FAIL
HEALTHCHECKK8s探针必须配置缺失则FAIL
非root用户必须配置(非可选)缺失则FAIL
.dockerignore必须包含缺失则WARN
.dockerignore 
Dockerfile*
使用通配符排除所有Dockerfile变体出现在构建上下文仅包含
Dockerfile
则WARN
基础镜像版本使用最新稳定版(检查Docker Hub)过时则WARN
轻量基础镜像Node.js用Alpine,Python用slim镜像臃肿则WARN
基础镜像标准(报告前先验证最新版本):
语言构建镜像运行镜像大小目标
Node.js
node:24-alpine
(LTS)
nginx:1.27-alpine
< 50MB
Python
python:3.13-slim
python:3.13-slim
< 150MB
Go
golang:1.23-alpine
scratch
alpine:3.21
< 20MB
Rust
rust:1.84-alpine
alpine:3.21
< 20MB
安全加固标准:
检查项标准要求严重程度
非root USER必须创建专用用户缺失则FAIL
只读文件系统
--read-only
或RO注解		缺失则INFO
禁止新增权限
--security-opt=no-new-privileges
缺失则INFO
移除权限
--cap-drop=all
+ 显式
--cap-add
缺失则INFO
镜像中无敏感信息环境变量中不得包含敏感数据发现则FAIL
构建工作流标准:
检查项标准要求严重程度
工作流存在需包含container-build.yml或类似文件缺失则FAIL
checkout actionv4+版本过旧则WARN
build-push-actionv6+版本过旧则WARN
多平台构建linux/amd64,linux/arm64缺失则WARN
构建缓存启用GHA缓存缺失则WARN
安全扫描工作流中包含Trivy/Grype缺失则WARN
id-token: write
配置溯源/SBOM时必须开启缺失则WARN
缓存范围多镜像构建时显式设置
scope=
缺失则WARN
扫描器版本固定Trivy/Grype Action需通过SHA固定版本(不能用
@master
未固定则WARN
容器标签标准(GHCR集成):
检查项标准要求严重程度
org.opencontainers.image.source
必须配置 - 链接到代码仓库缺失则WARN
org.opencontainers.image.description
必须配置 - 包描述缺失则WARN
org.opencontainers.image.licenses
必须配置 - SPDX许可证缺失则WARN
如需详细的Dockerfile检查,可运行
/configure:dockerfile

Step 4: Generate compliance report

步骤4:生成合规性报告

Print a formatted compliance report:
Container Infrastructure Compliance Report
==============================================
Project Type: frontend (detected)

Component Status:
  Dockerfile              PASS
  Build Workflow          PASS
  Registry Config         PASS
  Container Scanning      WARN (missing)
  Devcontainer           SKIP (not required)
  .dockerignore          PASS

Dockerfile Checks:
  Multi-stage             2 stages          PASS
  HEALTHCHECK             Present           PASS
  Base images             node:22, nginx    PASS

Build Workflow Checks:
  Workflow                container-build.yml PASS
  checkout                v4                PASS
  build-push-action       v6                PASS
  Multi-platform          amd64,arm64       PASS
  GHA caching             Enabled           PASS

Container Labels Checks:
  image.source            In metadata-action PASS
  image.description       Custom label set  PASS
  image.licenses          Not configured    WARN

Recommendations:
  - Add org.opencontainers.image.licenses label to workflow
  - Add Trivy or Grype vulnerability scanning to CI

Overall: 2 warnings, 1 info
If 
--check-only
, stop here.
打印格式化的合规性报告:
Container Infrastructure Compliance Report
==============================================
Project Type: frontend (detected)

Component Status:
  Dockerfile              PASS
  Build Workflow          PASS
  Registry Config         PASS
  Container Scanning      WARN (missing)
  Devcontainer           SKIP (not required)
  .dockerignore          PASS

Dockerfile Checks:
  Multi-stage             2 stages          PASS
  HEALTHCHECK             Present           PASS
  Base images             node:22, nginx    PASS

Build Workflow Checks:
  Workflow                container-build.yml PASS
  checkout                v4                PASS
  build-push-action       v6                PASS
  Multi-platform          amd64,arm64       PASS
  GHA caching             Enabled           PASS

Container Labels Checks:
  image.source            In metadata-action PASS
  image.description       Custom label set  PASS
  image.licenses          Not configured    WARN

Recommendations:
  - Add org.opencontainers.image.licenses label to workflow
  - Add Trivy or Grype vulnerability scanning to CI

Overall: 2 warnings, 1 info
如果使用
--check-only
,在此步骤停止。

Step 5: Apply fixes (if --fix or user confirms)

步骤5:应用修复(如果使用--fix或用户确认)

  1. Missing Dockerfile: Run 
    /configure:dockerfile --fix
  2. Missing build workflow: Create from template in REFERENCE.md
  3. Missing scanning: Add Trivy scanning job
  4. Missing .dockerignore: Create standard .dockerignore from REFERENCE.md
  5. Outdated actions: Update version numbers
  1. 缺失Dockerfile:运行
    /configure:dockerfile --fix
  2. 缺失构建工作流:从REFERENCE.md的模板创建
  3. 缺失扫描配置:添加Trivy扫描任务
  4. 缺失.dockerignore:从REFERENCE.md创建标准的.dockerignore
  5. 过时Actions:更新版本号

Step 6: Update standards tracking

步骤6:更新标准跟踪

Update 
.project-standards.yaml
:
yaml
components:
  container: "2025.1"
  dockerfile: "2025.1"
  container-workflow: "2025.1"
For detailed templates (Dockerfile, workflow, devcontainer, .dockerignore), see REFERENCE.md.
更新
.project-standards.yaml
yaml
components:
  container: "2025.1"
  dockerfile: "2025.1"
  container-workflow: "2025.1"
如需详细模板(Dockerfile、工作流、Devcontainer、.dockerignore),请查看REFERENCE.md

Agentic Optimizations

Agent优化命令

ContextCommand
Quick compliance check
/configure:container --check-only
Auto-fix all issues
/configure:container --fix
Dockerfile only
/configure:container --check-only --component dockerfile
Workflow only
/configure:container --check-only --component workflow
Scanning only
/configure:container --fix --component scanning
Find all Dockerfiles
find . -maxdepth 2 \( -name 'Dockerfile' -o -name 'Dockerfile.*' \) 2>/dev/null
场景命令
快速合规性检查
/configure:container --check-only
自动修复所有问题
/configure:container --fix
仅检查Dockerfile
/configure:container --check-only --component dockerfile
仅检查工作流
/configure:container --check-only --component workflow
仅修复扫描配置
/configure:container --fix --component scanning
查找所有Dockerfile
find . -maxdepth 2 \( -name 'Dockerfile' -o -name 'Dockerfile.*' \) 2>/dev/null

Flags

标记

FlagDescription
--check-only
Report status without offering fixes
--fix
Apply fixes automatically
--component <name>
Check specific component only (dockerfile, workflow, registry, scanning, devcontainer)
标记描述
--check-only
仅报告状态,不提供修复
--fix
自动应用修复
--component <name>
仅检查指定组件(dockerfile、workflow、registry、scanning、devcontainer)

Component Dependencies

组件依赖

Container Infrastructure
├── Dockerfile (required)
│   └── .dockerignore (recommended)
├── Build Workflow (required for CI/CD)
│   ├── Registry config
│   └── Multi-platform builds
├── Container Scanning (recommended)
│   └── SBOM generation (optional)
└── Devcontainer (optional)
    └── VS Code extensions
Container Infrastructure
├── Dockerfile (required)
│   └── .dockerignore (recommended)
├── Build Workflow (required for CI/CD)
│   ├── Registry config
│   └── Multi-platform builds
├── Container Scanning (recommended)
│   └── SBOM generation (optional)
└── Devcontainer (optional)
    └── VS Code extensions

Notes

注意事项

  • Multi-platform builds: Essential for M1/M2 Mac developers and ARM servers
  • GHCR: GitHub Container Registry is preferred for GitHub-hosted projects
  • Trivy: Recommended scanner for comprehensive vulnerability detection
  • Alpine vs Slim: Use Alpine for Node.js/Go/Rust. Use slim (Debian) for Python (musl compatibility issues)
  • Non-root is mandatory: Never run containers as root in production
  • Version pinning: Always use specific version tags, never 
    latest
  • 多平台构建:对M1/M2 Mac开发者和ARM服务器至关重要
  • GHCR:GitHub托管项目首选GitHub Container Registry
  • Trivy:推荐用于全面漏洞检测的扫描器
  • Alpine vs Slim:Node.js/Go/Rust使用Alpine。Python使用slim(Debian),避免musl兼容性问题
  • 非root是强制要求:生产环境中绝不能以root用户运行容器
  • 版本固定:始终使用特定版本标签,绝不使用
    latest

See Also

相关链接

  • /configure:dockerfile
    - Dockerfile-specific configuration
  • /configure:workflows
    - GitHub Actions workflow configuration
  • /configure:skaffold
    - Kubernetes development configuration
  • /configure:security
    - Security scanning configuration
  • /configure:all
    - Run all compliance checks
  • container-development
    skill - Container best practices
  • ci-workflows
    skill - CI/CD workflow patterns
  • /configure:dockerfile
    - Dockerfile专属配置
  • /configure:workflows
    - GitHub Actions工作流配置
  • /configure:skaffold
    - Kubernetes开发配置
  • /configure:security
    - 安全扫描配置
  • /configure:all
    - 运行所有合规性检查
  • container-development
    技能 - 容器最佳实践
  • ci-workflows
    技能 - CI/CD工作流模式