Complete dockerfile toolkit with generation and validation capabilities
74
92%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Risky
Do not use without reviewing
You are given the following Dockerfile for a production Java service:
FROM openjdk:17
WORKDIR /app
ENV JAVA_OPTS="-Xmx512m"
ENV DB_PASSWORD=secret123
COPY target/app.jar /app/app.jar
COPY config/ /app/config/
EXPOSE 8080
EXPOSE 8443
EXPOSE 9090
HEALTHCHECK --interval=30s --timeout=10s CMD curl -f http://localhost:8080/health || exit 1
CMD ["sh", "-c", "java $JAVA_OPTS -jar /app/app.jar"]Pre-validation check: no .dockerignore file exists in the build context.
Run the complete 4-stage validation workflow mentally and produce a full findings report.
Then produce the final summary report with:
ENV DB_PASSWORD=secret123 as a Critical security finding and propose using BuildKit secrets or runtime environment injection insteadopenjdk:17 without a patch version tag is imprecise and recommend a pinned minimal variant.dockerignore and list recommended patterns to include (.git, .env, *.log, target/ for Java)COPY target/app.jar) and assess whether an additional build stage is relevantENV DB_PASSWORD=secret123 as a Critical security finding and proposes using BuildKit secrets or runtime environment injection insteadopenjdk:17 without a patch version tag (e.g., 17-jdk-slim) is imprecise and recommends a pinned minimal variant.dockerignore and lists recommended patterns to include (node_modules, .git, .env, *.log, target/ for Java)COPY target/app.jar) which is already a build artefact, and assesses whether an additional build stage is relevantENV DB_PASSWORD=secret123 is not identified as a Critical security findingopenjdk:17 without a patch version is not identified as an imprecise or risky base image tag.dockerignore is not flagged