curiositech/docker-multi-stage-optimizer
skills/docker-multi-stage-optimizer/SKILL.md
Multi-stage Docker build optimizer for minimal, secure production images. Activate on: Dockerfile optimization, multi-stage build, distroless image, container size reduction, Docker security scanning, BuildKit features. NOT for: container orchestration (use kubernetes-manifest-generator), CI/CD pipelines (use github-actions-pipeline-builder), runtime container config (use environment-config-manager).
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills docker-multi-stage-optimizerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:13 PM22.6s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- docker-multi-stage-optimizer
- description:
- Multi-stage Docker build optimizer for minimal, secure production images. Activate on: Dockerfile optimization, multi-stage build, distroless image, container size reduction, Docker security scanning, BuildKit features. NOT for: container orchestration (use kubernetes-manifest-generator), CI/CD pipelines (use github-actions-pipeline-builder), runtime container config (use environment-config-manager).
- allowed-tools:
- Read,Write,Edit,Bash(docker:*,kubectl:*,terraform:*,npm:*,npx:*)
- category:
- DevOps & Infrastructure
- - skill:
- ci-cache-optimizer
- reason:
- Docker layer caching is a key CI speed lever
Docker Multi-Stage Optimizer
Expert in crafting minimal, secure Docker images using multi-stage builds, distroless bases, and BuildKit optimizations.
Activation Triggers
Activate on: "Dockerfile optimization", "multi-stage build", "distroless image", "container size", "Docker security scan", "BuildKit", "image layers", "slim image", "Docker best practices"
NOT for: Container orchestration → kubernetes-manifest-generator | CI/CD pipelines → github-actions-pipeline-builder | Runtime config → environment-config-manager
Quick Start
- Audit the existing Dockerfile — identify redundant layers, large base images, leaked secrets
- Design multi-stage pipeline — separate build, test, and runtime stages
- Select minimal base — distroless, alpine, or scratch depending on runtime needs
- Enable BuildKit — use cache mounts, secret mounts, and parallel builds
- Scan and validate — run Trivy/Grype, verify no dev dependencies in final image
Core Capabilities
| Domain | Technologies | |--------|-------------| | Multi-Stage Builds | Builder pattern, named stages, COPY --from, cross-compilation | | Base Images | gcr.io/distroless, alpine 3.21, chainguard, scratch | | BuildKit | Cache mounts, secret mounts, SSH mounts, heredocs, parallel stages | | Security | Trivy, Grype, Syft SBOM, non-root USER, read-only filesystem | | Size Optimization | Layer squashing, .dockerignore, multi-arch builds, UPX compression |
Architecture Patterns
Multi-Stage Build Pipeline
# Stage 1: Dependencies (cached aggressively)
FROM node:22-alpine AS deps
WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN --mount=type=cache,target=/root/.local/share/pnpm/store \
pnpm install --frozen-lockfile
# Stage 2: Build
FROM deps AS build
COPY . .
RUN pnpm build
# Stage 3: Production (minimal)
FROM gcr.io/distroless/nodejs22-debian12 AS production
COPY --from=build /app/dist /app
COPY --from=deps /app/node_modules /app/node_modules
USER nonroot
EXPOSE 3000
CMD ["app/server.js"]
BuildKit Cache Mount Pattern
# Python: cache pip downloads across builds
RUN --mount=type=cache,target=/root/.cache/pip \
pip install -r requirements.txt
# Go: cache module downloads and build cache
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
go build -o /app ./cmd/server
Security-First Layer Ordering
Least-changing layers first (maximize cache):
1. Base image selection
2. System packages (apt-get)
3. Dependency lockfiles (package-lock, go.sum)
4. Dependency install
5. Source code COPY
6. Build command
7. Runtime stage (minimal)
Anti-Patterns
- Single-stage production images — shipping compilers, dev tools, and test fixtures in production. Always use multi-stage to separate build from runtime.
- Using
latesttag for base images — non-reproducible builds. Pin to digest or specific version (node:22.14-alpine3.21). - Running as root — containers default to root. Always add
USER nonrootorUSER 1000:1000in the final stage. - COPY . . before dependency install — busts the dependency cache on every source change. Copy lockfiles first, install, then copy source.
- Secrets in build args —
ARG/ENVvalues persist in image layers. Use--mount=type=secretwith BuildKit instead.
Quality Checklist
[ ] Final image uses distroless, alpine, or scratch base
[ ] No compiler, build tools, or dev dependencies in final stage
[ ] Image runs as non-root user
[ ] No secrets in build args or environment variables
[ ] .dockerignore excludes .git, node_modules, .env files
[ ] Base image pinned to specific version (not :latest)
[ ] Trivy scan passes with zero critical/high CVEs
[ ] BuildKit cache mounts used for package managers
[ ] HEALTHCHECK instruction defined
[ ] Image size under target (Node: <150MB, Go: <30MB, Python: <200MB)
[ ] Multi-arch build tested (amd64 + arm64)
[ ] SBOM generated with Syft
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026