dockerfile-generator
Generate optimized, multi-stage Dockerfiles for Node.js, Python, Go, Rust, and Java with layer caching, non-root users, and minimal production images.
83
Quality
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./infrastructure/dockerfile-generator/SKILL.mdDockerfile Generator
Generate optimized, multi-stage Dockerfiles for Node.js, Python, Go, Rust, and Java with layer caching, non-root users, and minimal production images.
Prerequisites
- Docker Engine >= 24.x
- Docker Buildx (included with Docker Desktop)
Scaffold Command
# Create Dockerfile and .dockerignore in project root
touch Dockerfile
touch .dockerignoreProject Structure
project-root/
Dockerfile # Multi-stage build
.dockerignore # Exclude unnecessary files from build context
docker/
entrypoint.sh # Optional custom entrypoint scriptKey Conventions
- Always use multi-stage builds: separate dependency installation, build, and runtime stages.
- Pin base image tags to specific versions (e.g.,
node:20.18-alpine3.20, notnode:latest). - Prefer Alpine or distroless images for production stages to minimize attack surface.
- Run as non-root user in production stage.
- Order layers from least to most frequently changing to maximize cache hits.
- Copy dependency manifests first, install, then copy source code.
- Use
.dockerignoreto excludenode_modules,.git,dist, test files, and docs. - Use
HEALTHCHECKinstruction for standalone containers. - Set
WORKDIRexplicitly in every stage.
Essential Patterns
.dockerignore (Universal)
.git
.gitignore
.env*
*.md
LICENSE
docker-compose*.yml
.dockerignore
Dockerfile*
node_modules
dist
build
__pycache__
*.pyc
.pytest_cache
.coverage
.venv
target
.idea
.vscode
*.logNode.js (npm/pnpm)
# ---- Dependencies ----
FROM node:20.18-alpine3.20 AS deps
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --ignore-scripts
# ---- Build ----
FROM node:20.18-alpine3.20 AS build
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN npm run build
# ---- Production ----
FROM node:20.18-alpine3.20 AS production
WORKDIR /app
ENV NODE_ENV=production
RUN addgroup -g 1001 appgroup && adduser -u 1001 -G appgroup -s /bin/sh -D appuser
COPY --from=deps /app/node_modules ./node_modules
COPY --from=build /app/dist ./dist
COPY package.json ./
USER appuser
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD ["node", "-e", "fetch('http://localhost:3000/health').then(r => { if (!r.ok) process.exit(1) })"]
CMD ["node", "dist/main.js"]Node.js with pnpm
FROM node:20.18-alpine3.20 AS deps
WORKDIR /app
RUN corepack enable && corepack prepare pnpm@9 --activate
COPY pnpm-lock.yaml package.json ./
RUN pnpm install --frozen-lockfile --ignore-scripts
FROM node:20.18-alpine3.20 AS build
WORKDIR /app
RUN corepack enable && corepack prepare pnpm@9 --activate
COPY --from=deps /app/node_modules ./node_modules
COPY . .
RUN pnpm build
FROM node:20.18-alpine3.20 AS production
WORKDIR /app
ENV NODE_ENV=production
RUN addgroup -g 1001 appgroup && adduser -u 1001 -G appgroup -s /bin/sh -D appuser
COPY --from=deps /app/node_modules ./node_modules
COPY --from=build /app/dist ./dist
COPY package.json ./
USER appuser
EXPOSE 3000
CMD ["node", "dist/main.js"]Python (pip + venv)
# ---- Build ----
FROM python:3.12-slim AS build
WORKDIR /app
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# ---- Production ----
FROM python:3.12-slim AS production
WORKDIR /app
RUN groupadd -g 1001 appgroup && useradd -u 1001 -g appgroup -s /bin/sh appuser
COPY --from=build /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
COPY . .
USER appuser
EXPOSE 8000
HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
CMD ["python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"]
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]Python (Poetry)
FROM python:3.12-slim AS build
WORKDIR /app
ENV POETRY_HOME="/opt/poetry" \
POETRY_VIRTUALENVS_IN_PROJECT=true \
POETRY_NO_INTERACTION=1
RUN pip install --no-cache-dir poetry==1.8.*
COPY pyproject.toml poetry.lock ./
RUN poetry install --only main --no-root
FROM python:3.12-slim AS production
WORKDIR /app
RUN groupadd -g 1001 appgroup && useradd -u 1001 -g appgroup -s /bin/sh appuser
COPY --from=build /app/.venv /app/.venv
ENV PATH="/app/.venv/bin:$PATH"
COPY . .
USER appuser
EXPOSE 8000
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]Go
# ---- Build ----
FROM golang:1.23-alpine AS build
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server
# ---- Production (distroless) ----
FROM gcr.io/distroless/static-debian12 AS production
COPY --from=build /server /server
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/server"]Rust
# ---- Build ----
FROM rust:1.83-alpine AS build
WORKDIR /app
RUN apk add --no-cache musl-dev
COPY Cargo.toml Cargo.lock ./
# Cache dependencies by building a dummy project
RUN mkdir src && echo "fn main() {}" > src/main.rs && cargo build --release && rm -rf src
COPY src ./src
RUN touch src/main.rs && cargo build --release
# ---- Production (distroless) ----
FROM gcr.io/distroless/cc-debian12 AS production
COPY --from=build /app/target/release/myapp /app
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/app"]Java (Gradle + JRE)
# ---- Build ----
FROM eclipse-temurin:21-jdk-alpine AS build
WORKDIR /app
COPY gradle gradle
COPY gradlew build.gradle.kts settings.gradle.kts ./
RUN ./gradlew dependencies --no-daemon
COPY src ./src
RUN ./gradlew bootJar --no-daemon
# ---- Production ----
FROM eclipse-temurin:21-jre-alpine AS production
WORKDIR /app
RUN addgroup -g 1001 appgroup && adduser -u 1001 -G appgroup -s /bin/sh -D appuser
COPY --from=build /app/build/libs/*.jar app.jar
USER appuser
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
CMD ["sh", "-c", "wget -qO- http://localhost:8080/actuator/health || exit 1"]
ENTRYPOINT ["java", "-jar", "app.jar"]Build Args and Labels
ARG APP_VERSION=0.0.0
ARG BUILD_DATE
LABEL org.opencontainers.image.title="myapp" \
org.opencontainers.image.version="${APP_VERSION}" \
org.opencontainers.image.created="${BUILD_DATE}" \
org.opencontainers.image.source="https://github.com/org/repo"
# Usage:
# docker build --build-arg APP_VERSION=1.2.3 --build-arg BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ) .Common Commands
# Build image
docker build -t myapp:latest .
# Build specific stage (e.g., for dev with hot reload)
docker build --target deps -t myapp:deps .
# Build with build args
docker build --build-arg APP_VERSION=1.2.3 -t myapp:1.2.3 .
# Build with no cache
docker build --no-cache -t myapp:latest .
# Run container
docker run -p 3000:3000 --env-file .env myapp:latest
# Check image size
docker images myapp
# Inspect layers
docker history myapp:latest
# Scan for vulnerabilities
docker scout cves myapp:latest
# Multi-platform build
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest --push .Integration Notes
- Docker Compose: Reference these Dockerfiles from
docker-compose.ymlviabuild.dockerfileandbuild.target. - CI/CD: Pair with
github-actions-ciskill for automated builds. Use GitHub Actions cache (type=gha) or registry cache (type=registry) for layer caching in CI. - Kubernetes: Built images are pushed to a container registry and referenced in Kubernetes Deployment manifests.
- Security: Run
docker scout cvesor Trivy scans in CI. Use distroless or Alpine for minimal attack surface. Never run as root in production.
- Repository
- achreftlili/deep-dev-skills
- Commit
181fcbc
- Last updated
- Created
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.