Notre avis
Ce skill fournit des règles et bonnes pratiques pour créer des Dockerfiles sécurisés, optimisés et maintenables.
Points forts
- Met l'accent sur la sécurité (non-root, pas de secrets, vulnérabilités)
- Inclut des optimisations de construction comme les multi-stage builds
- Fournit des directives claires sur les instructions Docker essentielles
- Exemple concret de bon Dockerfile
Limites
- Ne couvre pas l'orchestration (Kubernetes, Docker Compose)
- Peut ne pas s'appliquer à tous les contextes (applications legacy)
- Certaines règles sont génériques et peuvent nécessiter adaptation
Quand l'utiliser
Utilisez ce skill lors de la création ou revue de Dockerfiles pour des applications en production.
Quand l'éviter
Évitez de l'utiliser si vous débutez avec Docker sans comprendre les concepts de base.
Analyse de sécurité
SûrScore qualité88/100
The skill provides Docker best practices and security hardening advice. It does not contain any instructions to execute destructive commands or exfiltrate data. All recommendations are defensive and promote safe configurations.
Aucun point d'attention détecté
Exemples
Review Dockerfile for security and best practices
Review the following Dockerfile for security issues, image size optimization, and best practices. Suggest improvements:
FROM node:latest
RUN apt-get update && apt-get install -y curl
EXPOSE 3000
CMD ["node", "app.js"]Generate an optimized multi-stage Dockerfile
Generate a multi-stage Dockerfile for a Node.js application that uses npm. The final image should be minimal, run as non-root, include health check, and define proper labels. Use alpine as base.Explain Dockerfile instructions
Explain the difference between ENTRYPOINT and CMD in Dockerfiles and provide an example of how to use them together correctly.name: docker description: Dockerfile best practices, security hardening, multi-stage builds, and image optimization
Docker Code Review Rules
Security (Critical)
- Run as non-root user (
USERdirective) - Don't store secrets in image (use runtime injection)
- Don't use
--privilegedwithout justification - Scan images for vulnerabilities
- Set
readonlyroot filesystem where possible - Review any use of build-time variables (e.g.,
ARG,ENV,LABELvalues) that can be influenced by external inputs (such as--build-argvalues or CI/CD environment variables sourced from untrusted users) to ensure they are not used in a way that enables build-time injection - Never use HTML comments (
<!-- -->) in Dockerfiles
Base Images
- Pin base image to specific version (not
latest) - Use official images from trusted sources
- Prefer minimal images (
alpine,slim,distroless) - Regularly update base images for security patches
Build Optimization
- Use multi-stage builds to reduce final image size
- Order instructions by change frequency (cache optimization)
- Combine
RUNcommands to reduce layers - Use
.dockerignoreto exclude unnecessary files, sensitive data, and build artifacts likenode_modules
Instructions (Essential)
- Use
COPYinstead ofADD(unless extracting archives) - Set
WORKDIRbeforeCOPY/RUN - Use explicit
EXPOSEfor documentation - Set meaningful
LABELmetadata
Additional Instructions
- Explicitly set
SHELLif bash/sh features are needed - Set environment variables with
ENVfor configuration (not secrets) - Clean up package manager caches after install (e.g.,
apt-get clean) - Understand
ENTRYPOINTvsCMD: useENTRYPOINTfor main command,CMDfor default args - Document container usage with OCI labels (
org.opencontainers.image.*)
Health Checks
- Include
HEALTHCHECKinstruction - Health check should verify app is actually working
- Set appropriate interval and timeout
Example Good Dockerfile Pattern
# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
# Runtime stage
FROM node:20-alpine
# Add OCI labels for documentation
LABEL org.opencontainers.image.title="My App"
LABEL org.opencontainers.image.description="Production web application"
LABEL org.opencontainers.image.version="1.0.0"
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
# Copy dependencies and app files
COPY --from=builder /app/node_modules ./node_modules
COPY . .
# Set environment variables (not secrets)
ENV NODE_ENV=production
USER appuser
EXPOSE 3000
HEALTHCHECK CMD wget -q --spider http://localhost:3000/health || exit 1
# Use ENTRYPOINT for main command, CMD for default args
ENTRYPOINT ["node"]
CMD ["server.js"]
Skills similaires
Architecte Docker Compose
DevOps
Concoit des configurations Docker Compose optimisees.
Claude CodeCopilotadvanced
430
156
1,480
Rapport de Post-Mortem
DevOps
Rédige des rapports post-mortem d'incidents structurés et blameless.
claudeCursorWindsurfintermediate
141
43
483
Créateur de Runbooks
DevOps
Crée des runbooks opérationnels clairs pour les procédures DevOps courantes.
claudeCursorWindsurfintermediate
108
32
405