/configure:dockerfile

Check and configure Dockerfile against project standards with emphasis on minimal images, non-root users, and multi-stage builds.

When to Use This Skill

Use this skill when... Use another approach when...

Checking Dockerfile compliance with standards Just viewing Dockerfile (use Read tool)

Creating Dockerfile from template Dockerfile already follows all standards

Validating image size, security, multi-stage builds Need container runtime config (use /configure:container )

Setting up minimal Alpine/slim-based images Project uses specialized base images (custom requirements)

Ensuring non-root user configuration Debugging container issues (check logs, inspect runtime)

Context

• Dockerfiles: !find . -maxdepth 1 ( -name 'Dockerfile' -o -name 'Dockerfile.' -o -name '.Dockerfile' )

• Dockerignore: !find . -maxdepth 1 -name '.dockerignore'

• Project type: !find . -maxdepth 1 ( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' ) -print -quit

• Base images: !grep -hm5 '^FROM' Dockerfile Dockerfile.* *.Dockerfile

Parameters

Parse from command arguments:

• --check-only : Report compliance status without modifications

• --fix : Apply fixes automatically without prompting

• --type <type> : Override project type detection (frontend, python, go, rust)

Execution

Execute this Dockerfile compliance check:

Step 1: Detect project type and Dockerfiles

• Find Dockerfile(s) in project root

• Detect project type from context (package.json, pyproject.toml, go.mod, Cargo.toml)

• Parse Dockerfile to analyze current configuration

• Apply --type override if provided

Step 2: Verify latest base image versions

Before flagging outdated base images, use WebSearch or WebFetch to verify latest versions:

• Node.js Alpine: Check Docker Hub for latest LTS Alpine tags

• Python slim: Check Docker Hub for latest slim tags

• nginx Alpine: Check Docker Hub for latest Alpine tags

• Go Alpine: Check Docker Hub for latest Alpine tags

• Rust Alpine: Check Docker Hub for latest Alpine tags

Step 3: Analyze compliance

Check the Dockerfile against these standards:

Frontend (Node.js) Standards:

Check Standard Severity

Build base node:22-alpine (LTS) WARN if other

Runtime base nginx:1.27-alpine

WARN if other

Multi-stage Required FAIL if missing

HEALTHCHECK Required FAIL if missing

Non-root user Required FAIL if missing

Build caching --mount=type=cache recommended INFO

OCI Labels Required for GHCR integration WARN if missing

Python Service Standards:

Check Standard Severity

Base image python:3.12-slim

WARN if other

Multi-stage Required for production FAIL if missing

HEALTHCHECK Required FAIL if missing

Non-root user Required FAIL if missing

OCI Labels Required for GHCR integration WARN if missing

OCI Container Labels:

Label Purpose Severity

org.opencontainers.image.source

Links to repository WARN if missing

org.opencontainers.image.description

Package description WARN if missing

org.opencontainers.image.licenses

SPDX license identifier WARN if missing

org.opencontainers.image.version

Semantic version (via ARG) INFO if missing

org.opencontainers.image.revision

Git commit SHA (via ARG) INFO if missing

Step 4: Report results

Print a compliance report:

Dockerfile Compliance Report

Project Type: <type> (detected) Dockerfile: ./Dockerfile (found)

Configuration Checks: Build base <image> [PASS|WARN] Runtime base <image> [PASS|WARN] Multi-stage <N> stages [PASS|FAIL] HEALTHCHECK <present|missing> [PASS|FAIL] Non-root user <present|missing> [PASS|FAIL] Build caching <enabled|missing> [PASS|INFO]

OCI Labels Checks: image.source <present|missing> [PASS|WARN] image.description <present|missing> [PASS|WARN] image.licenses <present|missing> [PASS|WARN]

Recommendations: <list specific fixes needed>

If --check-only , stop here.

Step 5: Apply fixes (if requested)

If --fix flag is set or user confirms:

• Missing Dockerfile: Create from standard template (see Standard Templates below)

• Missing HEALTHCHECK: Add standard healthcheck

• Missing multi-stage: Suggest restructure (manual fix needed)

• Outdated base images: Update FROM lines

• Missing OCI labels: Add LABEL instructions

Step 6: Update standards tracking

Update .project-standards.yaml :

components: dockerfile: "2025.1"

Standard Templates

Frontend (Node/Vite/nginx)

FROM node:22-alpine AS build

ARG SENTRY_AUTH_TOKEN ARG VITE_SENTRY_DSN

WORKDIR /app

COPY package*.json ./ RUN --mount=type=cache,target=/root/.npm npm ci

COPY . . RUN --mount=type=cache,target=/root/.npm
--mount=type=cache,target=/app/node_modules/.vite
npm run build

FROM nginx:1.27-alpine

OCI labels for GHCR integration

LABEL org.opencontainers.image.source="https://github.com/OWNER/REPO"
org.opencontainers.image.description="Production frontend application"
org.opencontainers.image.licenses="MIT"
org.opencontainers.image.vendor="Your Organization"

Dynamic labels via build args

ARG VERSION=dev ARG BUILD_DATE ARG VCS_REF LABEL org.opencontainers.image.version="${VERSION}"
org.opencontainers.image.created="${BUILD_DATE}"
org.opencontainers.image.revision="${VCS_REF}"

COPY --from=build /app/dist /usr/share/nginx/html COPY nginx/default.conf.template /etc/nginx/templates/

EXPOSE 80

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3
CMD wget --no-verbose --tries=1 --spider http://localhost/health || exit 1

Python Service

FROM python:3.12-slim AS builder

WORKDIR /app COPY pyproject.toml uv.lock ./ RUN pip install uv && uv sync --frozen --no-dev

FROM python:3.12-slim

OCI labels for GHCR integration

LABEL org.opencontainers.image.source="https://github.com/OWNER/REPO"
org.opencontainers.image.description="Production Python API server"
org.opencontainers.image.licenses="MIT"
org.opencontainers.image.vendor="Your Organization"

ARG VERSION=dev ARG BUILD_DATE ARG VCS_REF LABEL org.opencontainers.image.version="${VERSION}"
org.opencontainers.image.created="${BUILD_DATE}"
org.opencontainers.image.revision="${VCS_REF}"

RUN useradd --create-home appuser USER appuser WORKDIR /app

COPY --from=builder /app/.venv /app/.venv COPY --chown=appuser:appuser . .

ENV PATH="/app/.venv/bin:$PATH" EXPOSE 8000

HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3
CMD curl -f http://localhost:8000/health || exit 1

CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

Agentic Optimizations

Context Command

Check Dockerfile exists find . -maxdepth 1 ( -name 'Dockerfile' -o -name 'Dockerfile.*' ) 2>/dev/null

Validate multi-stage build grep -c '^FROM' Dockerfile 2>/dev/null

Check for non-root user grep -E '^USER [^root]' Dockerfile 2>/dev/null

Check base image grep '^FROM' Dockerfile | head -1

Quick compliance check /configure:dockerfile --check-only

Auto-fix issues /configure:dockerfile --fix

Flags

Flag Description

--check-only

Report status without offering fixes

--fix

Apply fixes automatically

--type <type>

Override project type (frontend, python)

Notes

• Node 22 is current LTS (recommended over 24)

• nginx:1.27-alpine preferred over debian variant

• HEALTHCHECK is critical for Kubernetes liveness probes

• Build caching significantly improves CI/CD speed

• Non-root user is mandatory for production containers

See Also

• /configure:container

• Comprehensive container infrastructure

• /configure:skaffold

• Kubernetes development configuration

• /configure:all

• Run all compliance checks

• container-development skill - Container best practices