multi-stage-dockerfile

SKILL.md

Build optimized, secure multi-stage Dockerfiles for any language or framework.

Structures builds with separate builder and runtime stages, copying only necessary artifacts to minimize final image size and attack surface

Emphasizes layer caching optimization by ordering commands from least to most frequently changing, combined with .dockerignore and command consolidation

Recommends minimal base images (Alpine, distroless, or official slim variants) with exact version pinning for reproducibility

Covers security hardening: non-root users, build tool removal, vulnerability scanning, and secrets isolation through multi-stage separation

Includes performance patterns like build arguments, environment variable optimization, and healthcheck configuration for production readiness

Your goal is to help me create efficient multi-stage Dockerfiles that follow best practices, resulting in smaller, more secure container images.

Multi-Stage Structure

Use a builder stage for compilation, dependency installation, and other build-time operations

Use a separate runtime stage that only includes what's needed to run the application

Copy only the necessary artifacts from the builder stage to the runtime stage

Use meaningful stage names with the AS keyword (e.g., FROM node:18 AS builder)

Place stages in logical order: dependencies → build → test → runtime

Base Images

Start with official, minimal base images when possible

Specify exact version tags to ensure reproducible builds (e.g., python:3.11-slim not just python)

Consider distroless images for runtime stages where appropriate

Use Alpine-based images for smaller footprints when compatible with your application

Ensure the runtime image has the minimal necessary dependencies

Layer Optimization