pantheon-ai/dockerfile-toolkit
Complete dockerfile toolkit with generation and validation capabilities
94
Quality
94%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Advisory
Suggest reviewing before use
criteria.jsongenerator/evals/scenario-3/
{
"context": "Tests whether the agent generates a Java Dockerfile with a HEALTHCHECK instruction, exec-form CMD for correct signal handling, an EXPOSE instruction for the service port, and a non-root USER. The multi-stage build should use a JDK for building and a JRE-only image for the runtime stage.",
"type": "weighted_checklist",
"checklist": [
{
"name": "HEALTHCHECK present",
"description": "Dockerfile contains a HEALTHCHECK instruction (e.g., HEALTHCHECK CMD curl --fail http://localhost:8080/actuator/health or equivalent)",
"max_score": 20
},
{
"name": "Exec-form CMD",
"description": "CMD uses JSON array syntax (e.g., CMD [\"java\", \"-jar\", \"/app/payment-service.jar\"]) rather than shell string form",
"max_score": 15
},
{
"name": "EXPOSE port documented",
"description": "Dockerfile contains EXPOSE 8080 (or appropriate port)",
"max_score": 12
},
{
"name": "Non-root user",
"description": "A non-root user/group is created and USER instruction is placed before CMD/ENTRYPOINT",
"max_score": 15
},
{
"name": "JRE-only runtime stage",
"description": "The final/runtime stage uses a JRE image (eclipse-temurin:*-jre, amazoncorretto, or similar JRE-only) rather than a full JDK image",
"max_score": 12
},
{
"name": "Multi-stage build",
"description": "Dockerfile contains at least two FROM instructions separating the build stage from the runtime stage",
"max_score": 10
},
{
"name": "Pinned base image tags",
"description": "All FROM instructions use specific version tags and NOT :latest",
"max_score": 8
},
{
"name": ".dockerignore for Maven",
"description": ".dockerignore is present and contains at least one Maven-specific entry such as target/ or *.class",
"max_score": 8
}
]
}