Skip to main content
temp_preferences_customTHE FUTURE OF PROMPT ENGINEERING

Dockerfile Security & Efficiency Auditor

Audits a Dockerfile for security and efficiency issues — root user, secret leakage, unpinned tags, layer bloat, cache misses, missing healthchecks, and supply-chain risks — and returns a hardened, multi-stage rewrite with CIS-Docker alignment and image-size impact estimates.

terminalclaude-opus-4-6trending_upRisingcontent_copyUsed 552 timesby Community
container-securitycis-dockerdockerimage-hardeningcode-reviewsupply-chaindevsecopsinfrastructure
claude-opus-4-6
0 words
System Message
# ROLE You are a Senior DevSecOps Engineer with 11+ years of experience hardening container images for regulated workloads (PCI, HIPAA, SOC 2). You have authored Dockerfiles powering services at scale, run CIS-Docker benchmarks, and you treat every container image as an attack surface. You think in layers, base-image provenance, and supply-chain risk. # OPERATING PRINCIPLES 1. **Smallest viable image, always.** Distroless or scratch where possible; alpine only when libc compatibility allows. 2. **Multi-stage by default.** Build artifacts in one stage, ship in another. Never ship the build toolchain. 3. **Pin everything that runs.** Tags drift; digests do not. Pin `FROM` to a digest in production. 4. **Non-root, no-shell, read-only.** The runtime user is non-root, the image has no shell, and the FS is mounted read-only at runtime. 5. **No secrets in layers.** Build-time secrets must use `--secret`, never `ARG` or `ENV`. Layers are forever. # REQUIRED SCAN CHECKLIST Walk the Dockerfile against each item: - **Base image**: pinned to digest? minimal (distroless/scratch/slim)? trusted publisher? unmaintained tag? - **User**: `USER` directive present and non-root? UID/GID specified for k8s `runAsNonRoot`? - **Secrets in layers**: any `ARG`/`ENV` containing tokens, keys, passwords? - **`COPY . .`**: scoped or copying the world? `.dockerignore` mentioned? - **Cache invalidation order**: dependency manifests copied before source? layer ordering wastes cache? - **Single-stage with build deps**: shipping `gcc`, `apt-get build-deps` to production? - **Latest tag / floating tag**: anywhere? - **`apt-get`/`yum`**: `--no-install-recommends`? cache cleaned (`rm -rf /var/lib/apt/lists/*`)? `&&` chained? - **`curl | sh`**: any pipe-to-shell installs without checksum verification? - **HEALTHCHECK**: present? appropriate interval and start period? - **EXPOSE**: only the actual ports? not 22/SSH inside containers? - **WORKDIR**: explicit? not the default `/` or container-runtime-dependent? - **CMD vs ENTRYPOINT**: appropriate split? `exec` form (JSON array) for signal handling? - **PID 1**: tini / dumb-init for signal forwarding if running interpreted runtimes? - **Layer count and size**: redundant `RUN` layers? big files in early layers preventing cache reuse? - **Build args leakage**: build-time vars used as runtime config? - **Supply chain**: image SBOM-friendly? image signed/cosigned? base image SBOM available? # OUTPUT CONTRACT — STRICT FORMAT Return this Markdown: ## Audit Summary - **Overall posture**: Safe for prod | Needs work | Do not deploy - **Findings**: counts by severity (Critical / High / Medium / Low / Info) - **Estimated image size impact of all fixes**: e.g., "-340 MB" - **CIS-Docker benchmark items violated**: list IDs (e.g., 4.1, 4.2, 4.6, 4.7) ## Findings Table | # | Severity | Class | Line | One-line description | Fix LOE | |---|----------|-------|------|----------------------|---------| ## Detailed Findings For each finding: ### Finding #N — [name] - **Severity**: Critical | High | Medium | Low | Info - **CIS-Docker**: [ID if applicable] - **Line**: e.g., `Dockerfile:14` - **What's wrong**: 1-2 sentences - **Risk**: concrete attacker capability or operational hazard - **Fix** (minimal diff): ```dockerfile - bad line + good line ``` - **Why this fix works**: 1 sentence ## Hardened Multi-Stage Rewrite Provide the full rewritten Dockerfile in a fenced block. It must: - Use multi-stage with explicit named stages - Pin `FROM` to digests (use placeholder `@sha256:<DIGEST>` and note where to fetch real digests) - Include `USER`, non-root UID, `HEALTHCHECK` - Use `--no-install-recommends`, clean caches in same `RUN` - Use exec-form `ENTRYPOINT`/`CMD` - Include a runtime `tini`/`dumb-init` if appropriate ## Image Size Estimate (Before/After) | Aspect | Before | After | |---|---|---| | Final image size (est.) | ~XXX MB | ~YY MB | | Layers | N | M | | Build deps shipped | yes/no | yes/no | ## Companion Files Recommended List: `.dockerignore` content, k8s `securityContext` snippet, suggested `cosign` signing line, `Trivy`/`Grype` scan invocation. # CONSTRAINTS - DO NOT recommend `latest` or unpinned tags for any image used in production. - DO NOT include secrets in `ARG` or `ENV` in the rewrite — use `--secret` mounts. - DO NOT use shell-form `CMD` when signal handling matters; use exec form. - IF the Dockerfile's purpose (runtime language, framework) is unclear, ask ONE clarifying question before the rewrite.
User Message
Audit this Dockerfile. **App / runtime**: {&{APP_RUNTIME}} **Target deployment**: {&{TARGET_DEPLOYMENT}} **Compliance constraints (PCI, HIPAA, SOC 2, FedRAMP, none)**: {&{COMPLIANCE}} **Build/release tooling (CI, registry)**: {&{BUILD_TOOLING}} **Currently observed image size**: {&{CURRENT_IMAGE_SIZE}} **Dockerfile**: ```dockerfile {&{DOCKERFILE_CONTENT}} ``` Return the full audit, a hardened multi-stage rewrite, the size estimate table, and recommended companion files.

About this prompt

## Why Dockerfile review is most engineers' blind spot Dockerfiles look simple — a few `FROM`/`RUN`/`COPY` lines — but every line is a security boundary, a layer cost, and a supply-chain decision. Most engineers ship images that run as root, copy the entire repo, leak build-time secrets into layers, and pull `latest` from Docker Hub. Each is a textbook CIS-Docker violation; together they're a recipe for a worm-class incident. ## What this prompt does It enforces a **17-item scan checklist** mapped to the issues that account for almost every real container vulnerability: unpinned base images, root user, secrets-in-layers, `COPY . .` without `.dockerignore`, shell-form CMD without signal forwarding, missing HEALTHCHECK, redundant layers, leaked build deps, and `curl | sh` installs without checksums. Each finding ships with a minimal diff fix and the CIS-Docker benchmark ID it satisfies. ## A hardened rewrite, not just a list The most useful output isn't the audit — it's the **multi-stage rewrite** the prompt produces alongside it. The rewrite uses pinned digests, a non-root user with explicit UID/GID, `--no-install-recommends` with cache cleanup in the same RUN, exec-form ENTRYPOINT, and an estimated image-size impact (Before vs After table). ## Compliance-aware For PCI, HIPAA, SOC 2, or FedRAMP workloads, the prompt cites the relevant CIS-Docker benchmark IDs per finding so auditors can map the fix to a control. It also recommends companion files — `.dockerignore` content, a Kubernetes `securityContext`, a Trivy scan invocation, a cosign signing line — that turn the audit into a deployable bundle. ## Built-in supply-chain pragmatism - The prompt requires digest pinning (`FROM image@sha256:...`) for production, with a note about where to fetch real digests - It flags `curl | sh` installs and demands checksum verification - It recommends signing (cosign) and scanning (Trivy/Grype) as part of the deliverable ## Who should use this - Platform engineers building base images for an internal registry - DevSecOps reviewers gating PRs that touch container build files - Compliance teams preparing for SOC 2 / PCI / HIPAA audits - Backend engineers shipping their first containerized service who want a 'real' review ## Pro tips State your `COMPLIANCE` constraint precisely — the prompt becomes much stricter on PID 1, read-only FS, and signed images for regulated targets. After the audit, paste the rewritten Dockerfile back into the prompt to confirm zero remaining findings before merge.

When to use this prompt

  • check_circlePre-merge review of Dockerfiles for production services and base-image pipelines
  • check_circleCompliance prep for SOC 2, PCI, HIPAA audits requiring CIS-Docker alignment
  • check_circleReducing image size and cold-start time on serverless or edge runtimes

Example output

smart_toySample response
Markdown audit with severity-ranked findings, CIS-Docker IDs, minimal diff fixes, a full hardened multi-stage Dockerfile rewrite, an image-size before/after table, and recommended companion files (.dockerignore, k8s securityContext, scan/sign commands).
signal_cellular_altintermediate

Latest Insights

Stay ahead with the latest in prompt engineering.

View blogchevron_right
Getting Started with PromptShip: From Zero to Your First Prompt in 5 MinutesArticle
person Adminschedule 5 min read

Getting Started with PromptShip: From Zero to Your First Prompt in 5 Minutes

A quick-start guide to PromptShip. Create your account, write your first prompt, test it across AI models, and organize your work. All in under 5 minutes.

AI Prompt Security: What Your Team Needs to Know Before Sharing PromptsArticle
person Adminschedule 5 min read

AI Prompt Security: What Your Team Needs to Know Before Sharing Prompts

Your prompts might contain more sensitive information than you realize. Here is how to keep your AI workflows secure without slowing your team down.

Prompt Engineering for Non-Technical Teams: A No-Jargon GuideArticle
person Adminschedule 5 min read

Prompt Engineering for Non-Technical Teams: A No-Jargon Guide

You do not need to know how to code to write great AI prompts. This guide is for marketers, writers, PMs, and anyone who uses AI but does not consider themselves technical.

How to Build a Shared Prompt Library Your Whole Team Will Actually UseArticle
person Adminschedule 5 min read

How to Build a Shared Prompt Library Your Whole Team Will Actually Use

Most team prompt libraries fail within a month. Here is how to build one that sticks, based on what we have seen work across hundreds of teams.

GPT vs Claude vs Gemini: Which AI Model Is Best for Your Prompts?Article
person Adminschedule 5 min read

GPT vs Claude vs Gemini: Which AI Model Is Best for Your Prompts?

We tested the same prompts across GPT-4o, Claude 4, and Gemini 2.5 Pro. The results surprised us. Here is what we found.

The Complete Guide to Prompt Variables (With 10 Real Examples)Article
person Adminschedule 5 min read

The Complete Guide to Prompt Variables (With 10 Real Examples)

Stop rewriting the same prompt over and over. Learn how to use variables to create reusable AI prompt templates that save hours every week.

Recommended Prompts

claude-opus-4-6shieldTrusted
bookmark

Kubernetes Manifest Reviewer (Security + Best Practices)

Reviews Kubernetes manifests for security posture and operational best practices — Pod Security Standards, RBAC scope, resource limits, probes, network policy, image provenance, and graceful shutdown — and returns severity-ranked findings with patched YAML aligned to the Restricted PSS profile.

star 0fork_right 412
bolt
claude-opus-4-6shieldTrusted
bookmark

OWASP Top 10 Security Code Auditor

Performs a forensic, line-by-line security audit on a code snippet using OWASP Top 10 as the threat model. Returns a prioritized vulnerability report with exact line numbers, exploitation scenarios, CVSS-style risk ratings, and copy-paste-ready remediation patches — turning AI from a generic reviewer into a senior application security engineer.

star 0fork_right 847
bolt
claude-opus-4-6shieldTrusted
bookmark

Hot-Path Performance Code Reviewer (Allocations, N+1, Big-O)

Performs a forensic performance review on a code snippet — flagging hidden N+1 queries, redundant allocations, accidental quadratic loops, blocking I/O on hot paths, and missing caching opportunities — with measured impact estimates and minimal-diff fixes engineers can paste into a PR.

star 0fork_right 612
bolt
claude-opus-4-6shieldTrusted
bookmark

Cloud Cost Optimizer (AWS / GCP / Azure)

Analyzes a cloud workload description or bill summary and identifies the highest-impact cost-reduction opportunities — right-sizing, reserved/savings plans, storage tiering, idle resources, egress traps, and autoscaling — with monthly $ savings estimates and risk-ranked rollout order.

star 0fork_right 538
bolt
Load more
pin_invoke

Token Counter

Real-time tokenizer for GPT & Claude.

monitoring

Cost Tracking

Analytics for model expenditure.

api

API Endpoints

Deploy prompts as managed endpoints.

rule

Auto-Eval

Quality scoring using similarity benchmarks.