endor-container
Scan container images and analyze Dockerfiles for security issues. Use when the user says "scan my Docker image", "Dockerfile security", "container scan", "endor container", "docker compose security", or is creating/modifying Dockerfiles and docker-compose files. Checks for root user, latest tags, exposed ports, secrets in build args, and missing health checks. Do NOT use for application code scanning (/endor-sast).
73
89%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Passed
No known issues
Quality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is an excellent skill description that hits all the marks. It provides specific capabilities, comprehensive trigger terms, explicit 'Use when' and 'Do NOT use' clauses, and clearly distinguishes itself from related skills like SAST scanning. The inclusion of concrete security checks (root user, latest tags, exposed ports, etc.) gives Claude strong context for when to select this skill.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: scan container images, analyze Dockerfiles, checks for root user, latest tags, exposed ports, secrets in build args, and missing health checks. | 3 / 3 |
Completeness | Clearly answers both 'what' (scan container images, analyze Dockerfiles for specific security issues) and 'when' (explicit 'Use when...' clause with multiple trigger phrases), plus includes a 'Do NOT use' boundary condition. | 3 / 3 |
Trigger Term Quality | Excellent coverage of natural trigger terms users would say: 'scan my Docker image', 'Dockerfile security', 'container scan', 'endor container', 'docker compose security', plus mentions Dockerfiles and docker-compose files. | 3 / 3 |
Distinctiveness Conflict Risk | Very distinct niche focused on container/Docker security scanning with clear boundaries. The explicit 'Do NOT use for application code scanning (/endor-sast)' clause actively prevents conflict with related skills. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
79%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This is a well-structured, actionable skill that efficiently covers container security scanning across Dockerfiles, Docker Compose files, and container images. Its main strengths are the concise table-based issue catalogs with concrete patterns and fixes, plus complete executable examples. The primary weaknesses are the lack of validation/feedback loops after remediation and the monolithic structure that could benefit from splitting detailed sections into referenced files.
Suggestions
Add a validation step after presenting the secured Dockerfile/Compose, such as re-scanning or running a linter (e.g., hadolint) to confirm issues are resolved before proceeding.
Consider splitting the Docker Compose analysis and Image Scanning sections into separate referenced files to improve progressive disclosure and reduce the main skill's token footprint.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The content is lean and well-structured using tables for pattern/fix pairs, avoiding unnecessary explanations. It assumes Claude knows Docker concepts and doesn't waste tokens explaining what Dockerfiles or containers are. | 3 / 3 |
Actionability | Provides concrete, executable examples including a complete secured Dockerfile, a secured docker-compose.yml, and a specific CLI command for image scanning. The pattern/fix tables give specific, actionable guidance for each issue. | 3 / 3 |
Workflow Clarity | Steps are clearly sequenced for Dockerfile analysis, Docker Compose analysis, and image scanning. However, there are no explicit validation checkpoints or feedback loops — after presenting a secured version, there's no step to verify the fixes were applied correctly or re-scan to confirm issues are resolved. | 2 / 3 |
Progressive Disclosure | The content references `references/data-sources.md` and cross-references other skills like `/endor-scan`, `/endor-cicd`, and `/endor-policy`, which is good. However, the skill is fairly long with all content inline, and the Dockerfile analysis, Docker Compose analysis, and image scanning sections could potentially be split into separate reference files for better organization. No bundle files are provided to support the reference. | 2 / 3 |
Total | 10 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- endorlabs/skills-ideas
- Commit
b958adc
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.