Stats
Actions
Tags
From ai-eng-devops
Build, run, and secure Docker containers with best practices. Covers Dockerfile review, multi-stage builds, Compose orchestration, image hardening, and CI/CD integration.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ai-eng-devops:dockerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
```bash
docker --version # Engine version
docker compose version # Compose plugin version
docker buildx version # BuildKit/buildx version
Check the Docker Engine release notes for the latest stable.
HEALTHCHECK.alpine, slim, distroless)latest tag — pinned to specific digest or versionWORKDIR is set before file operationsCOPY uses specific files, not COPY . . where possibleUSER directive or --user at runtime)EXPOSE documents only necessary portsHEALTHCHECK is definedapt-get cleaned, no dev tools in runtime)docker scout or Trivy.dockerignore exists and excludes: .git, node_modules, *.log, .envRUN commands combined where logical (but not excessively long)DOCKER_BUILDKIT=1 or default in modern Docker)# syntax=docker/dockerfile:1
FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json .
RUN npm ci --only=production
FROM node:22-alpine AS runtime
RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
WORKDIR /app
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --chown=nodejs:nodejs . .
USER nodejs
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD node -e "require('http').get('http://localhost:3000/health', (r) => r.statusCode === 200 ? process.exit(0) : process.exit(1))"
CMD ["node", "server.js"]
# docker-compose.yml — production baseline
services:
app:
build: .
restart: unless-stopped
deploy:
resources:
limits:
cpus: '1.0'
memory: 512M
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 30s
timeout: 3s
retries: 3
# docker-compose.override.yml — development only
services:
app:
volumes:
- .:/app
environment:
- NODE_ENV=development
command: npm run dev
docker compose config # validate and merge
docker compose config --profiles # check profile separation
# Docker Scout (built-in, requires login)
docker scout quickview myimage:latest
docker scout cves myimage:latest
# Trivy (open source)
trivy image myimage:latest
trivy filesystem .
# Snyk
snyk container test myimage:latest
| Anti-Pattern | Why It's Wrong | Fix |
|---|---|---|
FROM node:latest | Non-reproducible builds, surprise updates | Pin to node:22-alpine or digest |
| Running as root | Container escape = host compromise | USER directive + file ownership |
COPY . . without .dockerignore | Bloats image, leaks secrets | Explicit .dockerignore |
apt-get update && apt-get install without cleanup | Bloated layers | && rm -rf /var/lib/apt/lists/* |
| No healthcheck | Orchestrator can't detect failure | HEALTHCHECK in Dockerfile or compose |
| Secrets in ENV | Visible in docker inspect | BuildKit secrets or runtime mounts |
| Single-stage build | Large attack surface, slow deploys | Multi-stage: build → runtime |
# .github/workflows/docker.yml
- name: Build and scan
run: |
docker build -t app:${{ github.sha }} .
docker scout cves app:${{ github.sha }} --exit-code --only-severity critical,high
docker run --rm app:${{ github.sha }} npm test
docker build --no-cache to isolatedive myimage:latest to analyze layer bloatCMD/ENTRYPOINT and logs (docker logs)USER directive and file ownership in COPY --chowndocker execCreates structured, bite-sized implementation plans from specs or requirements before writing code. Useful for breaking down multi-step tasks into testable steps with file structure and task boundaries.
2plugins reuse this skill
First indexed Jul 8, 2026
npx claudepluginhub p/v1truv1us-ai-eng-devops-plugins-ai-eng-devops