- Home
- Skills
- Ancoleman
- Ai Design Components
- Writing Dockerfiles
writing-dockerfiles_skill
- Python
291
GitHub Stars
2
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill ancoleman/ai-design-components --skill writing-dockerfiles- outputs.yaml6.2 KB
- SKILL.md12.6 KB
Overview
This skill generates production-grade Dockerfiles with multi-stage builds, language-specific optimizations (Python, Node.js, Go, Rust), BuildKit features, and distroless runtimes. It focuses on reducing image size, preventing secret leakage, and applying security hardening. Use it to create new Dockerfiles or optimize existing ones for CI/CD and runtime safety.
How this skill works
I inspect the target application language, build workflow, and priorities (security vs size vs build speed) to choose base images, caching, and multi-stage patterns. I output Dockerfile templates that include BuildKit cache mounts, secret mounts, non-root user setup, healthchecks, and .dockerignore guidance. For static languages I recommend static linking and distroless/scratch runtimes; for interpreted languages I produce production dependency stages and slim runtime images.
When to use it
- You need a Dockerfile for a Python, Node.js, Go, or Rust service.
- You want to shrink image size using multi-stage builds and distroless images.
- You must prevent secrets from ending up in image layers.
- You want BuildKit caching and secret/ssh mount patterns in the build.
- You need to harden containers to run non-root and add vulnerability scanning.
Best practices
- Use multi-stage builds: separate build tools from runtime to cut size and attack surface.
- Enable BuildKit and use --mount=type=cache and --mount=type=secret for caches and secrets.
- Pick distroless or minimal runtime images for security-critical builds; use scratch for static Rust/Go binaries.
- Order Dockerfile instructions from least- to most-frequently changing to maximize cache hits.
- Avoid embedding secrets or using :latest tags; pin explicit image versions and maintain .dockerignore.
Example use cases
- Create a distroless Dockerfile for a Go microservice with CGO disabled and -ldflags to strip symbols.
- Produce a Poetry-based multi-stage Python Dockerfile with BuildKit pip cache mounts and a non-root runtime user.
- Convert a Node.js monorepo build into a multi-stage image that runs npm ci in a build stage and prunes dev deps.
- Build an ultra-small Rust container using musl static linking and scratch as the final image.
- Optimize an existing Dockerfile to reduce layers, add healthchecks, and integrate Trivy scans in CI.
FAQ
Yes. It recommends BuildKit secret mounts and shows patterns to avoid embedding tokens in RUN lines, plus .dockerignore to exclude sensitive files.
Which image should I use for smallest runtime?
For smallest images use static binaries with distroless or scratch (Go/Rust). For interpreted languages prefer distroless where available or slim variants when distroless is impractical.