security-review-skill-for-docker
Audits Docker and Kubernetes deployments for security issues, ensuring compliance and best practices in container configurations.
Install this skill
or
0/100
Security score
The security-review-skill-for-docker skill was audited on May 12, 2026 and we found 10 security issues across 2 threat categories, including 2 critical. Review the findings below before installing.
Categories Tested
Security Issues
high line 182
Template literal with variable interpolation in command context
SourceSKILL.md
| 182 | | C7 | 环境变量无明文密钥 | HIGH | `environment:` 中密钥必须引用变量 `${VAR}` 或 `.env`,不能明文写入 | |
high line 252
Template literal with variable interpolation in command context
SourceSKILL.md
| 252 | | compose 中 `environment:` 的值是 `${VAR}` 引用(非明文) | 安全 | |
critical line 168
Piping content to bash shell
SourceSKILL.md
| 168 | | F13 | 无 pipe to shell | HIGH | 禁止 `curl|bash` / `wget|sh` | |
critical line 168
Piping content to sh shell
SourceSKILL.md
| 168 | | F13 | 无 pipe to shell | HIGH | 禁止 `curl|bash` / `wget|sh` | |
low line 87
Access to .env file
SourceSKILL.md
| 87 | Grep("COPY.*\\.env|ADD.*\\.env", glob="*Dockerfile*") # 禁止复制 .env |
medium line 160
Access to .env file
SourceSKILL.md
| 160 | | F5 | 无 COPY .env | CRITICAL | 禁止 `COPY .env` / `ADD .env` / `COPY *.env` | |
medium line 169
Access to .env file
SourceSKILL.md
| 169 | | F14 | .dockerignore 存在 | MEDIUM | 项目根目录必须有 .dockerignore,排除 .git/.env/node_modules/*.key | |
medium line 182
Access to .env file
SourceSKILL.md
| 182 | | C7 | 环境变量无明文密钥 | HIGH | `environment:` 中密钥必须引用变量 `${VAR}` 或 `.env`,不能明文写入 | |
medium line 213
Access to .env file
SourceSKILL.md
| 213 | 4. **.dockerignore 是否排除了 .env,但 compose 中又 COPY 了** → 交叉检查 |
medium line 229
Access to .env file
SourceSKILL.md
| 229 | | D5 | 密钥管理(.env/硬编码/build args) | [ ] | |
Scanned on May 12, 2026
View Security Dashboard