dtsong/dockerfile-generation
skills/dockerfile-generation/SKILL.md
Use when creating Dockerfiles, optimizing container images, or reviewing Docker configurations. Produces multi-stage, security-hardened builds with proper layer caching. Triggers on 'create Dockerfile', 'dockerize', 'optimize container'.
$ install --global
skillsauthnpx skillsauth add dtsong/my-claude-setup dockerfile-generationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 26, 2026, 4:38 AM150.2s5 files scanned
SKILL.md
- name:
- dockerfile-generation
- description:
- Use when creating Dockerfiles, optimizing container images, or reviewing Docker configurations. Produces multi-stage, security-hardened builds with proper layer caching. Triggers on 'create Dockerfile', 'dockerize', 'optimize container'.
Dockerfile Generation Skill
Generate production-ready Dockerfiles through iterative verification.
Scope Constraints
- Read access to codebase for analysis; write access limited to Dockerfile and .dockerignore
- Executes
docker buildanddocker runfor verification only — no deployment or registry push - Does not modify application source code or dependency files
- Does not configure CI/CD pipelines — delegates to cicd-generation skill
Input Sanitization
- Base image names: alphanumeric, hyphens, dots, slashes, colons only — reject shell metacharacters and null bytes
- Port numbers: integers 1-65535 only
- File paths in COPY directives: reject
..traversal and null bytes
Core Principles
- Verification-first: Examine codebase BEFORE adding ANY instruction
- Multi-arch: Support amd64/arm64, no hardcoded paths
- No HEALTHCHECK: Cannot verify health endpoints from code alone
- Multi-stage builds: Builder stage → minimal runtime stage
- Security: Non-root user (UID 10001+), pinned versions, no
:latest - Layer optimization: Dependencies first, source second
Process
Step 1: Analyze Codebase
Before writing ANY Dockerfile instruction, verify:
[ ] Language/runtime detected (package.json, requirements.txt, go.mod, etc.)
[ ] Entry point identified (main file, start script)
[ ] Build command identified (if compilation needed)
[ ] Dependencies file location confirmed
[ ] Required environment variables documented
[ ] Exposed ports identified from code (NOT assumed)
Step 2: Generate Dockerfile
Structure:
# syntax=docker/dockerfile:1
# Build stage
FROM <base>:<pinned-version> AS builder
WORKDIR /app
# Install deps first (cache layer)
COPY <deps-file> .
RUN <install-deps>
# Copy source
COPY . .
RUN <build-command>
# Runtime stage
FROM <minimal-base>:<pinned-version>
WORKDIR /app
# Security: non-root user
RUN addgroup --gid 10001 appgroup && \
adduser --uid 10001 --ingroup appgroup --disabled-password appuser
USER appuser
# Copy artifacts from builder
COPY --from=builder --chown=appuser:appgroup /app/<artifact> .
EXPOSE <verified-port>
CMD ["<verified-entrypoint>"]
Language-specific bases:
| Language | Builder | Runtime |
|----------|---------|---------|
| Node.js | node:<version>-alpine | node:<version>-alpine |
| Python | python:<version>-slim | python:<version>-slim |
| Go | golang:<version>-alpine | gcr.io/distroless/static |
| Java | eclipse-temurin:<version> | eclipse-temurin:<version>-jre-alpine |
| Rust | rust:<version>-alpine | gcr.io/distroless/cc |
Step 3: Validation Loop (Max 5 iterations)
# Build
docker build -t test-image:local .
# Run and capture logs
docker run --rm test-image:local 2>&1 | head -50
# If error: analyze → fix → rebuild
# If success: verify functionality
Stop conditions:
- Container starts and responds correctly
- 5 iterations reached (escalate to user)
Gotchas
COPY . .beforeCOPY package*.json && npm installbusts the dependency cache on every source change — always copy deps files first- Alpine-based images use
muslnotglibc— native Node.js addons (bcrypt, sharp) may fail with cryptic errors. Use-slimfor compatibility RUN apt-get update && apt-get installwithoutrm -rf /var/lib/apt/lists/*bloats the image by 30-100MB- Multi-stage builds discard everything not explicitly
COPY --from=builder— forgetting to copy a config file causes silent runtime failures EXPOSEis documentation only — it does NOT publish the port. You still need-pat runtime- Running as root (default) means container compromise = full host access — always add a non-root user with UID 10001+
Anti-patterns to Avoid
FROM <image>:latest- Always pin versionsRUN apt-get update && apt-get installwithout cleanupCOPY . .before dependency installation- Running as root
- Hardcoded secrets or credentials
- Assuming ports without code verification
- Adding HEALTHCHECK without verified endpoint
Output Format
When generating a Dockerfile, output:
- Analysis summary: What was detected in codebase
- Dockerfile: The generated file
- Build command: Exact command to build
- Run command: Exact command to test
- Notes: Any assumptions or manual verification needed
Related Skills
dtsong/workflow
development
VerifiedTrustedCommunity
Use when planning implementation steps, deciding commit format, or structuring development approach. Provides brainstorm-plan-implement flow with conventional commits. Triggers on 'how should I approach this', 'commit format'.
4SKILL.mdUpdated Apr 28, 2026
dtsong/web-security-hardening
development
VerifiedTrustedCommunity
Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.
4SKILL.mdUpdated Apr 28, 2026
dtsong/web-design-guidelines
development
VerifiedTrustedCommunity
Review UI code for Web Interface Guidelines compliance. Use when asked to "review my UI", "check accessibility", "audit design", "review UX", or "check my site against best practices".
4SKILL.mdUpdated Apr 28, 2026
dtsong/vercel-react-best-practices
development
VerifiedTrustedCommunity
React and Next.js performance optimization guidelines from Vercel Engineering. This skill should be used when writing, reviewing, or refactoring React/Next.js code to ensure optimal performance patterns. Triggers on tasks involving React components, Next.js pages, data fetching, bundle optimization, or performance improvements.
4SKILL.mdUpdated Apr 28, 2026