render-oss/render-docker
skills/render-docker/SKILL.md
Builds and deploys Docker containers on Render—Dockerfiles, multi-stage builds, Blueprint Docker fields, private registries, layer caching, and platform constraints. Use when the user mentions Docker, Dockerfile, container images, multi-stage builds, container registry, GHCR, ECR, BuildKit, dockerContext, runtime docker or image, or optimizing Docker builds on Render.
$ install --global
skillsauthnpx skillsauth add render-oss/skills render-dockerInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 1, 2026, 6:56 AM144.2s5 files scanned
SKILL.md
- name:
- render-docker
- description:
- >-
- license:
- MIT
- compatibility:
- >-
- Any Render compute service (web, private, worker, cron) with runtime:
- docker
- or runtime:
- image.
- author:
- Render
- version:
- 1.0.0
- category:
- deployment
Render Docker Deployments
Render uses BuildKit for Docker builds. All compute service types that support custom runtimes can use runtime: docker (build from a Dockerfile in the repo) or runtime: image (pull a prebuilt image; no Dockerfile build on Render). Deeper patterns and copy-paste templates live under references/.
When to Use
- Authoring or debugging a Dockerfile for a Render service
- Choosing
runtime: dockervsruntime: imagein a Blueprint - Wiring private base images or prebuilt images with registry credentials
- Multi-stage builds, build args, secrets, and layer caching
- Performance and security hardening of container images on Render
For full Blueprint authoring, see render-blueprints. For end-to-end deploy flows, see render-deploy.
Render Docker Builds
- BuildKit is used for Docker builds on Render.
runtime: docker: Render builds an image from your repo usingdockerfilePath,dockerContext, and optionaldockerCommand(overrides imageCMD).runtime: image: Render pullsimage.url; no repo-based image build. Pair withregistryCredentialwhen the registry is private.
Blueprint Configuration
| Field | Role |
|-------|------|
| dockerfilePath | Path to the Dockerfile (default ./Dockerfile) |
| dockerContext | Build context directory (what is sent to the daemon) |
| dockerCommand | Overrides the container CMD after the image is built |
| image.url | Image reference for runtime: image (registry/repo:tag or digest) |
| registryCredential | Auth for private pulls; often fromRegistryCreds → Dashboard-stored credential |
Example sketch (values illustrative):
services:
- type: web
name: api
runtime: docker
region: oregon
plan: starter
dockerfilePath: ./Dockerfile
dockerContext: .
dockerCommand: node server.js
envVars:
- key: PORT
value: 10000
For runtime: image, set image.url and, if needed, registryCredential per Registry Configuration below.
Multi-Stage Builds
Recommended for production. Use a builder stage for compilation and dependency installation, and a minimal runner stage that only copies artifacts and runtime files. Benefits:
- Smaller images and faster pulls
- Fewer tools and secrets in the final image (smaller attack surface)
- Clear separation between build-time and run-time dependencies
See references/dockerfile-patterns.md for language-specific templates.
Build Args vs Secrets
Critical: Never pass secrets via ARG. Build arguments are stored in image layers and can be recovered from the image history or intermediate layers.
- Prefer runtime environment variables (Render env vars / secret files) for application secrets.
- For build-time secrets (e.g. private package feeds), use Docker BuildKit secret mounts (
RUN --mount=type=secret,...) rather thanARG.
Treat anything sensitive as runtime or BuildKit secret mount, not as a build arg.
Registry Configuration
Private base images (for runtime: docker) or prebuilt images (runtime: image) need authentication:
- Store credentials in the Render Dashboard under Registry Credentials.
- In Blueprint, reference them with
registryCredential.fromRegistryCreds.name(match the Dashboard name).
Supports common registries (Docker Hub, GHCR, ECR, Google Artifact Registry, and others). Step-by-step per provider: references/registry-setup.md.
Prebuilt image services do not auto-deploy when the tag moves in the registry; trigger a manual redeploy or use a deploy hook when you publish a new image.
Layer Caching
- Render caches Docker layers between builds; order Dockerfile instructions so that frequently unchanged layers stay early (see
references/optimization-guide.md). - Tags and caching: mutable tags like
latestcan resolve to stale cached images. Prefer immutable references: digest (repo/image@sha256:...) or version pins (v1.2.3).
Platform Specifics
- Render builds linux/amd64. Avoid assumptions about other architectures in production images.
- Port binding matches native services: bind HTTP to
0.0.0.0:$PORT(Render setsPORT). - Health checks behave like non-Docker web services (
healthCheckPath, etc.). - Secret files from Render appear under
/etc/secrets/— do not rely on repo-root secret paths inside the container unless you copy or mount them explicitly in the image.
.dockerignore and Start Commands
- Always maintain a
.dockerignorethat excludesnode_modules,.git,.env, build artifacts, logs, and OS junk. This shrinks context upload time and avoids leaking local files into layers. Lists and rationale:references/optimization-guide.md. - Custom start command: if you need multiple shell steps, use a single shell form, e.g.
/bin/sh -c 'set -e; ./migrate && exec node server.js'(preferexecso your app receives signals for graceful shutdown).
References
| Document | Contents |
|----------|----------|
| references/dockerfile-patterns.md | Multi-stage templates (Node, Python, Go, Ruby, Rust, static sites) |
| references/registry-setup.md | Docker Hub, GHCR, ECR, Artifact Registry + Blueprint wiring |
| references/optimization-guide.md | Layer order, .dockerignore, BuildKit cache mounts, debugging |
Related Skills
- render-deploy — Deploy flows, Blueprint vs Dashboard, operational steps
- render-blueprints — Full
render.yamlschema, wiring, and validation - render-web-services — Web service behavior, health checks, and HTTP edge cases
Related Skills
render-oss/render-web-services
development
VerifiedTrustedCommunity
Configures Render web services—port binding, TLS, health checks, custom domains, auto-deploy, PR previews, persistent disks, and deploy lifecycle. Use when the user needs to set up a web service, fix health check failures, add a custom domain, configure zero-downtime deploys, or troubleshoot port binding issues.
44SKILL.mdUpdated Apr 30, 2026
render-oss/render-static-sites
development
VerifiedTrustedCommunity
Deploys and configures static sites on Render's global CDN—build commands, publish paths, SPA routing, redirects, custom headers, and PR previews. Use when the user needs to deploy a static site, set up a React/Vue/Hugo/Gatsby frontend, configure SPA fallback routing, add redirect rules, customize response headers, or choose between a static site and a web service for their frontend. Trigger terms: static site, CDN, SPA, single-page app, React deploy, Vue deploy, Hugo, Gatsby, Docusaurus, Jekyll, staticPublishPath.
44SKILL.mdUpdated Apr 30, 2026
render-oss/render-scaling
tools
VerifiedTrustedCommunity
Scales Render services—configures autoscaling targets, chooses instance types, sets manual instance counts, and optimizes cost. Use when the user needs to handle more traffic, set up autoscaling, pick the right instance type, reduce costs, or troubleshoot scaling behavior like slow scale-down or stuck instances.
44SKILL.mdUpdated Apr 30, 2026
render-oss/render-private-services
development
VerifiedTrustedCommunity
Configures Render private services—internal-only apps that accept traffic exclusively from other Render services over the private network. Use when the user needs an internal API, microservice, gRPC server, sidecar, or any service that should not be publicly accessible. Also use when choosing between a private service and a background worker. Trigger terms: private service, pserv, internal service, internal API, microservice, gRPC, not public, private network service.
44SKILL.mdUpdated Apr 30, 2026