rory-data/docker-best-practices
skills/docker-best-practices/SKILL.md
Docker and container image best practices including multi-stage builds, security hardening, layer optimization, and Alpine/slim variants. Use when writing or reviewing Dockerfiles, container configurations, or docker-compose files.
development
Updated Apr 26, 2026
$ install --global
skillsauthnpx skillsauth add rory-data/copilot docker-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 26, 2026, 9:18 AM50.3s1 file scanned
SKILL.md
- name:
- docker-best-practices
- description:
- Docker and container image best practices including multi-stage builds, security hardening, layer optimization, and Alpine/slim variants. Use when writing or reviewing Dockerfiles, container configurations, or docker-compose files.
- license:
- Proprietary. See parent repository LICENSE
Docker Best Practices
Quick Reference
- Multi-stage builds: Separate build and runtime dependencies
- Alpine/slim images: Minimal base images for smaller attack surface
- Layer caching: Order instructions from least to most frequently changing
- Security first: Non-root user, pinned versions, minimal packages
- Single process: One primary process per container
Core Principles
1. Immutability
- Never modify running containers - create new images instead
- Use semantic versioning for image tags (
v1.2.3) - Treat images as versioned artifacts
2. Efficiency & Security
- Prefer Alpine variants for smaller images (
node:18-alpine) - Use official images from trusted sources
- Update base images regularly for security patches
- Avoid
latesttag in production
3. Layer Optimisation
# GOOD: Optimise for caching
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./ # Cache-friendly: deps change less
RUN npm ci --only=production
COPY . . # App code changes most
Multi-Stage Builds (Essential)
# Build stage
FROM node:18-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Production stage
FROM node:18-alpine AS production
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/package*.json ./
USER node
EXPOSE 3000
CMD ["node", "dist/main.js"]
Security Essentials
Non-Root User
# Create and use non-root user
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001
USER nextjs
Minimal Dependencies
# Combine commands to reduce layers and clean up
RUN apk add --no-cache \
python3 \
py3-pip \
&& pip install --no-cache-dir flask \
&& apk del build-dependencies
Version Pinning
# Pin specific versions for reproducibility
FROM python:3.11.5-slim
RUN pip install flask==2.3.3
Common Patterns
Python Application
FROM python:3.11-slim AS build
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
FROM python:3.11-slim AS production
WORKDIR /app
COPY --from=build /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY . .
USER nobody
EXPOSE 8000
CMD ["python", "app.py"]
Node.js Application
FROM node:18-alpine AS deps
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
FROM node:18-alpine AS production
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
USER node
EXPOSE 3000
CMD ["node", "server.js"]
Go Application
FROM golang:1.21-alpine AS build
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o main .
FROM scratch AS production
COPY --from=build /app/main /main
EXPOSE 8080
CMD ["/main"]
Performance Optimisation
.dockerignore
node_modules
.git
.gitignore
README.md
.env
.nyc_output
coverage
.vscode
Health Checks
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:3000/health || exit 1
Resource Limits (docker-compose)
services:
app:
image: myapp:latest
deploy:
resources:
limits:
memory: 512M
cpus: "0.5"
Security Checklist
- [ ] Use multi-stage builds
- [ ] Run as non-root user
- [ ] Use minimal base images (Alpine/slim)
- [ ] Pin dependency versions
- [ ] Remove unnecessary packages
- [ ] Scan images for vulnerabilities
- [ ] Set resource limits
- [ ] Use secrets management for sensitive data
Common Anti-Patterns to Avoid
❌ Don't do this:
FROM ubuntu:latest # Use specific versions
RUN apt-get update # Combine with install
COPY . . # Do this after deps
RUN apt-get install -y curl # Separate command
ADD https://example.com/file.tar.gz # Use COPY + RUN
✅ Do this instead:
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y \
curl \
&& rm -rf /var/lib/apt/lists/*
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
Development vs Production
Development
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
EXPOSE 3000
CMD ["npm", "run", "dev"]
Production (Multi-stage)
FROM node:18-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM node:18-alpine AS production
WORKDIR /app
COPY --from=build /app/dist ./dist
RUN addgroup -g 1001 nodejs && adduser -S -u 1001 nextjs
USER nextjs
EXPOSE 3000
CMD ["node", "dist/server.js"]
Alignment with Core Principles
- Security: Non-root users, minimal attack surface, version pinning
- Efficiency: Multi-stage builds, layer caching, minimal base images
- Reproducibility: Pinned versions, explicit dependencies
- Maintainability: Clear structure, documented patterns, consistent practices
Related Skills
rory-data/airflow
tools
VerifiedTrustedCommunity
Queries, manages, and troubleshoots Apache Airflow using the af CLI. Covers listing DAGs, triggering runs, reading task logs, diagnosing failures, debugging DAG import errors, checking connections, variables, pools, and monitoring health. Also routes to sub-skills for writing DAGs, debugging, deploying, and migrating Airflow 2 to 3. Use when user mentions "Airflow", "DAG", "DAG run", "task log", "import error", "parse error", "broken DAG", or asks to "trigger a pipeline", "debug import errors", "check Airflow health", "list connections", "retry a run", or any Airflow operation. Do NOT use for warehouse/SQL analytics on Airflow metadata tables — use analyzing-data instead.
SKILL.mdUpdated May 3, 2026
rory-data/airflow-plugins
tools
VerifiedTrustedCommunity
Build Airflow 3.1+ plugins that embed FastAPI apps, custom UI pages, React components, middleware, macros, and operator links directly into the Airflow UI. Use this skill whenever the user wants to create an Airflow plugin, add a custom UI page or nav entry to Airflow, build FastAPI-backed endpoints inside Airflow, serve static assets from a plugin, embed a React app in the Airflow UI, add middleware to the Airflow API server, create custom operator extra links, or call the Airflow REST API from inside a plugin. Also trigger when the user mentions AirflowPlugin, fastapi_apps, external_views, react_apps, plugin registration, or embedding a web app in Airflow 3.1+. If someone is building anything custom inside Airflow 3.1+ that involves Python and a browser-facing interface, this skill almost certainly applies.
SKILL.mdUpdated May 3, 2026
rory-data/airflow-hitl
data-ai
VerifiedTrustedCommunity
Use when the user needs human-in-the-loop workflows in Airflow (approval/reject, form input, or human-driven branching). Covers ApprovalOperator, HITLOperator, HITLBranchOperator, HITLEntryOperator, HITLTrigger. Requires Airflow 3.1+. Does not cover AI/LLM calls (see airflow-ai).
SKILL.mdUpdated May 3, 2026
rory-data/code-smell-detector
development
VerifiedTrustedCommunity
Detects and fixes common code smells during review or refactoring. Invoke whenever reviewing code for quality issues, before merging a PR, when refactoring legacy code, or when the user asks about code quality, anti-patterns, or technical debt. Detects: over-abstraction, complex inheritance, large functions, tight coupling, hidden dependencies, magic numbers, boolean traps, swallowed exceptions, global state, and duplicate code. Provides specific fixes with before/after examples. Also invoke when someone says "review this code", "is this clean?", "can I improve this?", "this feels messy", or "find problems in my code".
SKILL.mdUpdated May 1, 2026