docker_skill

This skill guides Dockerfile best practices, security hardening, and multi-stage builds to optimize images and reduce risk.
  • Python

0

GitHub Stars

1

Bundled Files

3 weeks ago

Catalog Refreshed

2 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstart where the catalogue uses aiagentskills.

npx veilstart add skill yldgio/codereview-skills --skill docker

  • SKILL.md2.8 KB

Overview

This skill provides actionable Dockerfile best practices focused on security hardening, multi-stage builds, and image optimization. It guides reviewers and authors to produce smaller, safer, and more maintainable container images. The guidance balances security controls, build performance, and runtime reliability.

How this skill works

The skill inspects Dockerfile patterns and recommends concrete changes: pinning base images, enforcing non-root execution, minimizing layers with multi-stage builds, and removing secrets from images. It highlights risky constructs (privileged mode, build-time injection vectors, ADD misuse) and suggests fixes like .dockerignore, cache-friendly instruction ordering, and health checks. Output is practical advice you can apply directly to CI/CD pipelines or code reviews.

When to use it

  • When creating or reviewing Dockerfiles for production services
  • Before merging changes that modify base images, build args, or RUN chains
  • When reducing image size or improving CI build cache performance
  • When hardening container runtime security for compliance or ops
  • When adding or validating container health checks and metadata

Best practices

  • Pin base images to explicit versions and use trusted official or minimal images (alpine/slim/distroless)
  • Run processes as a non-root user (USER directive) and avoid --privileged unless justified
  • Use multi-stage builds to keep final images minimal and COPY instead of ADD unless extracting archives
  • Keep secrets out of images; inject them at runtime and avoid sourcing untrusted build-time variables
  • Order Dockerfile instructions by change frequency, combine RUN steps to reduce layers, and use .dockerignore
  • Include HEALTHCHECK that verifies real app functionality, add OCI labels, and clean package caches

Example use cases

  • Converting a development Dockerfile into a production-ready multi-stage build
  • Auditing CI pipelines for build-arg injection risks and secret leakage
  • Reducing image size and startup time by removing build tools and caches from the runtime image
  • Hardening container deployments by enforcing non-root users and read-only root filesystems
  • Adding robust health checks and OCI metadata for observability and supply-chain documentation

FAQ

Only when you need its archive extraction or remote URL fetch behavior; prefer COPY for predictable file copying.

How do I manage secrets if not in the image?

Inject secrets at runtime via environment variables managed by your orchestrator, secret mounts, or a secrets manager; never bake them into ENV or source files.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational