CtrlK
BlogDocsLog inGet started
Tessl Logo

pantheon-ai/dockerfile-toolkit

Complete dockerfile toolkit with generation and validation capabilities

94

Quality

94%

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Advisory

Suggest reviewing before use

Overview
Quality
Evals
Security
Files

criteria.jsongenerator/evals/scenario-0/

{
  "context": "Tests whether the agent generates a production Go Dockerfile with multi-stage builds (builder + runtime), a pinned non-latest base image tag, and a non-root user. The Go binary is compiled in a builder stage and only the final binary is copied to the runtime stage.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Multi-stage build present",
      "description": "Dockerfile contains at least two FROM instructions (a builder stage and a runtime/final stage)",
      "max_score": 15
    },
    {
      "name": "Build tools excluded from runtime",
      "description": "The final stage does NOT use a golang base image — it uses a minimal image (distroless, alpine, scratch, or similar)",
      "max_score": 12
    },
    {
      "name": "Pinned base image tags",
      "description": "Every FROM instruction uses a specific version tag (e.g., golang:1.22-alpine) — NOT :latest or a tag-less reference",
      "max_score": 12
    },
    {
      "name": "Non-root user",
      "description": "Dockerfile creates a non-root user/group and includes a USER instruction before the final CMD/ENTRYPOINT pointing to that non-root user",
      "max_score": 15
    },
    {
      "name": "Binary copied to runtime stage",
      "description": "The compiled binary is copied from the builder stage into the runtime stage using COPY --from=",
      "max_score": 10
    },
    {
      "name": "Absolute WORKDIR",
      "description": "WORKDIR is set to an absolute path (starts with /) in the Dockerfile",
      "max_score": 8
    },
    {
      "name": "EXPOSE port documented",
      "description": "Dockerfile contains an EXPOSE 8080 (or the appropriate port) instruction",
      "max_score": 8
    },
    {
      "name": "Exec-form CMD or ENTRYPOINT",
      "description": "CMD or ENTRYPOINT uses JSON array syntax (e.g., CMD [\"/app/server\"]) rather than shell string form",
      "max_score": 10
    },
    {
      "name": ".dockerignore created",
      "description": "A .dockerignore file is present alongside the Dockerfile",
      "max_score": 5
    },
    {
      "name": ".dockerignore excludes sensitive paths",
      "description": ".dockerignore contains entries for at least .git, .env (or .env.*), and either node_modules/ or vendor/ or *.exe",
      "max_score": 5
    }
  ]
}

generator

evals

scenario-0

capability.txt

criteria.json

task.md

instructions.json

summary_infeasible.json

summary.json

SKILL.md

tile.json