Generate secure Dockerfiles, apko/melange configurations, and migrate existing projects to use Chainguard Containers.
- Dockerfile Generation: Create secure, minimal Dockerfiles using Chainguard Containers
- Dockerfile Migration: Convert existing Dockerfiles to use Chainguard Containers with the dfc (Dockerfile Converter) MCP server
- apko Configurations: Generate apko YAML files for custom Wolfi-based images
- Best Practices: Automatic application of security and container best practices
- Multi-stage Builds: Proper separation of build and runtime environments
- Intelligent Mapping: Uses Chainguard's built-in image and package mappings
This plugin includes:
- dfc MCP Server: Automated Dockerfile conversion using Chainguard's mapping database
- AI Skills: Expert guidance for generation, migration, and best practices
- Built-in Mappings: Comprehensive image and package conversion tables
- Docker or similar: Required to run the dfc MCP server container
- Internet access to pull
cgr.dev/chainguard/dfc-mcp
Users can install this plugin by adding the Chainguard marketplace:
/plugin marketplace add https://github.com/chainguard-demo/claude-plugins.git
/plugin install chainguard-codegen@chainguard-pluginsThe dfc MCP server container will be automatically pulled from GitHub Container Registry and run when needed. The container is:
- Built on Chainguard's minimal base images
- Signed with Sigstore cosign
- Includes an SBOM (Software Bill of Materials)
- Automatically updated when dfc changes
Ask Claude Code to generate Dockerfiles with Chainguard Containers:
"Generate a Dockerfile for a Python Flask app using Chainguard Containers"
"Create a multi-stage Dockerfile for a Node.js application"
"Generate a Dockerfile for a Go service that produces a static binary"
The plugin will:
- Select the appropriate Chainguard base image
- Use multi-stage builds when beneficial
- Set up non-root users correctly
- Apply security best practices
- Minimize image layers and size
Migrate existing Dockerfiles to Chainguard Containers:
"Migrate this Dockerfile to use Chainguard Containers"
"Convert my python:3.12-slim Dockerfile to Chainguard"
"Help me switch from Alpine to Chainguard Containers"
The plugin will:
- Use the dfc MCP server for automated conversion with built-in mappings
- Identify the current base image
- Map to the appropriate Chainguard equivalent
- Convert package manager commands (apt-get → apk)
- Handle permission and path changes
- Adjust for non-root user requirements
- Explain the security benefits
When you ask Claude Code to migrate Dockerfiles, it can use these MCP tools:
-
convert_dockerfile: Converts a complete Dockerfile using Chainguard's mapping database- Handles FROM line mapping
- Converts RUN commands with package managers
- Applies tag mapping logic
- Maintains comments and formatting
-
analyze_dockerfile: Analyzes Dockerfile structure before migration- Identifies package managers used
- Detects base images
- Reports multi-stage build structure
Create apko YAML files for custom Wolfi-based images:
"Generate an apko config for a Python web application"
"Create an apko.yaml for a custom Nginx image"
"Build an apko configuration with PostgreSQL and utilities"
The plugin will:
- Select necessary Wolfi packages
- Configure non-root user (UID 65532)
- Set proper entrypoint and environment
- Keep the image minimal and secure
| Use Case | Image | Variants |
|---|---|---|
| Python | cgr.dev/chainguard/python |
:latest, :latest-dev, -fips |
| Node.js | cgr.dev/chainguard/node |
:latest, :latest-dev |
| Go | cgr.dev/chainguard/go |
:latest (builder) |
| Static binaries | cgr.dev/chainguard/static |
:latest (runtime) |
| Nginx | cgr.dev/chainguard/nginx |
:latest |
| PostgreSQL | cgr.dev/chainguard/postgres |
:latest |
| Redis | cgr.dev/chainguard/redis |
:latest |
| Wolfi base | cgr.dev/chainguard/wolfi-base |
:latest |
:latest- Production runtime image (minimal, no shell or package manager):latest-dev- Development image (includes shell, apk, build tools)-fips- FIPS 140-2 compliant variants
When generating or migrating code, this plugin ensures:
- Multi-stage builds: Build with
:latest-dev, run with:latest - Non-root user: All containers run as UID 65532 (nonroot)
- Minimal layers: Commands are combined efficiently
- No secrets: Never includes secrets in images
- Proper permissions: Files are owned by nonroot user
- Security defaults: Following Chainguard and Docker best practices
FROM cgr.dev/chainguard/python:latest-dev AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt --user
FROM cgr.dev/chainguard/python:latest
WORKDIR /app
COPY --from=builder /home/nonroot/.local /home/nonroot/.local
COPY --chown=nonroot:nonroot . .
ENV PATH=/home/nonroot/.local/bin:$PATH
CMD ["python", "app.py"]contents:
repositories:
- https://packages.wolfi.dev/os
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
packages:
- wolfi-base
- python-3.12
- py3.12-pip
entrypoint:
command: /usr/bin/python3
accounts:
groups:
- groupname: nonroot
gid: 65532
users:
- username: nonroot
uid: 65532
gid: 65532
run-as: 65532
work-dir: /appAll skills are automatically active when the plugin is installed.
- dockerfile-generator: Expert at creating secure Dockerfiles
- dockerfile-migrator: Migrates existing Dockerfiles to Chainguard
- apko-generator: Creates apko configurations for Wolfi images
- migrating-dockerfiles-to-chainguard: Step-by-step guidance for the full migration process — clarifying requirements, converting FROM statements, handling packages, users, entrypoints, and troubleshooting
- mapping-container-images-to-chainguard: Maps upstream container image references to their Chainguard equivalents, including tag rules, FIPS variants, and digest handling
- mapping-os-packages-to-chainguard: Maps OS package names across Alpine, Debian, and Fedora ecosystems to their Chainguard/Wolfi equivalents
- Chainguard Containers - Full image catalog
- apko Documentation
- Wolfi Documentation
- Dockerfile Best Practices