local-first
Runs inside your Claude Code session, against your filesystem, using your Anthropic API key. Nothing exfiltrated.
glance-gate — make your Dockerfile small and secure
make your Dockerfile small and secure — on your machine, in your editor, nothing uploaded.
- 45 MBverified Node Tier‑0
- 0CVEs at every severity
- 6language overlays
- 0data uploaded
$ a live run
~/your-app $
thinking
- audit
- tier 0
- smoke
- scan
✓ done — wrote Dockerfile_final
image size
400 MB
→
59 MB
security
17 critical
→
0 alerts
→ check the report: glance-gate-report.md
$ pick a language
Same skill. Different overlays. Same deliverable.
target: alpine:3.20 (musl)
verified: 45 MB · 0 CVEs
pipeline: esbuild → bun --compile
FROM node:20.18-bookworm-slim AS bundle
RUN npm install -g [email protected]
COPY . .
RUN pnpm install --frozen-lockfile
RUN esbuild src/main.ts --bundle --platform=node --target=node20 \
--format=cjs --keep-names --tree-shaking=false \
--minify-whitespace --minify-syntax --outfile=/out/server.js
FROM oven/bun:1.3.10-alpine AS compile
COPY --from=bundle /out/server.js ./
RUN bun build ./server.js --compile --minify \
--target=bun-linux-arm64-musl --outfile=/work/app
FROM alpine:3.20
RUN apk add --no-cache libstdc++ libgcc ca-certificates tzdata \
&& adduser -u 1000 -D app
COPY --from=compile --chown=1000:1000 /work/app /app/server
USER 1000:1000
ENTRYPOINT ["/app/server"]
target: python:3.12-alpine (musl)
typical: 80–150 MB
fallback: distroless/python3
FROM python:3.12-alpine AS builder
RUN apk add --no-cache build-base linux-headers
COPY requirements.txt ./
RUN pip install --target=/install -r requirements.txt
RUN find /install -type d -name __pycache__ -exec rm -rf {} + || true
FROM python:3.12-alpine
RUN adduser -u 1000 -D app
COPY --from=builder --chown=1000:1000 /install /app/site-packages
COPY --chown=1000:1000 . /app
ENV PYTHONPATH=/app/site-packages
USER 1000:1000
WORKDIR /app
CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0"]
target: FROM scratch
typical: 8–25 MB
flags: -s -w -trimpath
FROM golang:1.22.5-bookworm AS builder
ENV CGO_ENABLED=0 GOOS=linux
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN go build -trimpath -ldflags="-s -w" -o /out/app ./cmd/server
FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /out/app /app
USER 1000:1000
ENTRYPOINT ["/app"]
target: FROM scratch (musl)
typical: 5–25 MB
tls: rustls (no openssl-sys)
FROM rust:1.83-bookworm AS builder
RUN apt-get install -y musl-tools && rustup target add aarch64-unknown-linux-musl
COPY Cargo.toml Cargo.lock ./
COPY src ./src
RUN cargo build --release --target aarch64-unknown-linux-musl && \
strip target/aarch64-unknown-linux-musl/release/app
FROM scratch
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /target/.../release/app /app
USER 1000:1000
ENTRYPOINT ["/app"]
target: distroless/java21
typical: 120–180 MB
layered: spring boot
FROM eclipse-temurin:21-jdk-jammy AS builder
COPY mvnw .mvn pom.xml ./
RUN ./mvnw -B -q dependency:go-offline
COPY src ./src
RUN ./mvnw -B -q -DskipTests package
RUN java -Djarmode=layertools -jar target/*.jar extract -d /unpacked
FROM gcr.io/distroless/java21-debian12
WORKDIR /app
COPY --from=builder /unpacked/ ./
USER 1000
ENTRYPOINT ["java","org.springframework.boot.loader.launch.JarLauncher"]
target: ruby:3.3-alpine (musl)
typical: 70–130 MB
fallback: ruby:slim-bookworm
FROM ruby:3.3.1-alpine AS builder
RUN apk add --no-cache build-base postgresql-dev yaml-dev
ENV BUNDLE_DEPLOYMENT=1 BUNDLE_WITHOUT="development:test"
COPY Gemfile Gemfile.lock ./
RUN bundle config set --local force_ruby_platform false && \
bundle install --jobs 4
COPY . .
FROM ruby:3.3.1-alpine
RUN apk add --no-cache postgresql-client yaml tzdata && \
adduser -u 1000 -D app
COPY --from=builder --chown=1000:1000 /app /app
USER 1000:1000
CMD ["bundle","exec","puma","-C","config/puma.rb"]$ what you get
6 language overlays
Node, Python, Go, Rust, Java, Ruby. Each with bundle audit, native-deps detection, package-manager handling, framework gotchas.
tier ladder
Tier 0 (musl static binary on scratch / alpine) → Tier 1 (bundled artifact on distroless) → Tier 2 (deps tree on distroless). Audit picks the start; soft fall-through to the next on failure.
musl-first security
Drops debian glibc / libssl3 CVEs that upstream won't patch. Same result, different libc, fresher CVE feed.
real smoke test
Every build runs docker run with an optional Mongo/Postgres/Redis sidecar, HTTP probes, uid check, and a SIGTERM deadline. PASS or it doesn't ship.
cve scan + sbom + report
Trivy / Grype / Docker Scout for CVEs. Syft (or Trivy SPDX) for the SBOM. A tier-aware markdown report at the workdir root. Every run.
$ how it compares
| glance-gate | Docker Scout | Snyk Container | Chainguard | |
|---|---|---|---|---|
| Rewrites the Dockerfile | ✓ | ✗ | ✗ | ✗ |
| Local, nothing uploaded | ✓ | partial | ✗ | ✗ |
| Open source | Apache 2.0 | partial | ✗ | partial |
| CVE scan | ✓ | ✓ | ✓ | ✓ |
| SBOM | ✓ | ✓ | ✓ | ✓ |
| Cost to start | $0 + your key | freemium | paid | paid |
$ trust model
- ▸The skill never reads files outside the project working directory.
- ▸All AI inference runs in your Claude Code session against your Anthropic key.
- ▸Zero outbound network from the skill itself.
docker,trivy,syftdo their own network — same as if you ran them by hand. - ▸The optional learning API (
scripts/glance-api.sh) adds opt-in network: onlyrecall/record/articlesendpoints, every payload AES-256-CBC encrypted with a per-device key. - ▸No registry pushes, no signing, no calls to your Docker registry. The skill produces a Dockerfile; you decide what to do with it.
$ install
It's three commands. The whole skill is <100 KB.
git clone https://github.com/amineorion/glance-gate-skill.git ~/.claude/skills/glance-gate
# restart Claude Code, then type /skills to verifyRequired local tools:
# macOS
brew install aquasecurity/trivy/trivy syftThen in any project:
/glance-gate optimize this Dockerfile~/glance-gate $ _