tessl-labs/devops-essentials
DevOps essentials — Dockerfile best practices, CI/CD patterns, deployment configuration, and container security
89
1.21x
Quality
87%
Does it follow best practices?
Impact
100%
1.21xAverage score across 3 eval scenarios
Securityby
Passed
No known issues
dockerfile-best-practices.jsonverifiers/
{
"instruction": "Follow Dockerfile best practices: multi-stage builds, non-root user, .dockerignore, cache-efficient layer ordering, HEALTHCHECK, and specific base image tags",
"relevant_when": "Agent creates a Dockerfile, docker-compose file, or containerizes an application",
"context": "Production Dockerfiles must use multi-stage builds to separate build-time dependencies from the runtime image. Containers must run as a non-root user for security. A .dockerignore file MUST ALWAYS be created alongside every Dockerfile — this is the most commonly forgotten step. The .dockerignore must exclude node_modules, .git, .env, and other non-essential files to prevent bloated images and secret leakage. Layers must be ordered for cache efficiency: copy dependency manifests first, install dependencies, then copy source code. A HEALTHCHECK instruction must be present. Base images must use specific version tags, never :latest.",
"sources": [
{
"type": "file",
"filename": "skills/devops-essentials/SKILL.md",
"tile": "tessl-labs/devops-essentials@0.1.0"
}
],
"checklist": [
{
"name": "multi-stage-build",
"rule": "Dockerfile uses multi-stage build with at least two stages: a build stage (installing dev dependencies, compiling/transpiling) and a production stage (minimal runtime image with only production artifacts). The production stage should not contain build tools, compilers, or dev dependencies.",
"relevant_when": "Agent creates or modifies a Dockerfile"
},
{
"name": "non-root-user",
"rule": "Production stage creates a non-root user (using adduser/useradd or equivalent) and switches to it with the USER instruction. The container must not run as root.",
"relevant_when": "Agent creates or modifies a Dockerfile"
},
{
"name": "dockerignore-exists",
"rule": "A .dockerignore file is created alongside the Dockerfile, excluding at minimum: node_modules (or equivalent like __pycache__, .venv), .git, and .env files.",
"relevant_when": "Agent creates a Dockerfile or containerizes an application"
},
{
"name": "cache-efficient-layers",
"rule": "Dependency manifest files (package.json, package-lock.json, requirements.txt, go.mod, go.sum) are copied and dependencies installed BEFORE copying the rest of the source code, so that source code changes do not invalidate the dependency cache layer.",
"relevant_when": "Agent creates or modifies a Dockerfile"
},
{
"name": "healthcheck-instruction",
"rule": "Dockerfile includes a HEALTHCHECK instruction that probes the application's health endpoint with appropriate interval, timeout, start-period, and retries settings.",
"relevant_when": "Agent creates a Dockerfile for a web service or API"
},
{
"name": "specific-base-image-tag",
"rule": "Base images use specific version tags (e.g., node:20-alpine, python:3.12-slim) rather than :latest or untagged references.",
"relevant_when": "Agent writes a FROM instruction in a Dockerfile"
}
]
}