Track
Docker
Review build contexts, base images, cache layers, multi-stage builds, secrets, users, healthchecks, and Compose files.
- 01
Build context and .dockerignore
Keep the Docker build context small and intentional so builds are faster, safer, and easier to reproduce.
build contextdockerignoresecurity - 02
Base images and tag pinning
Choose a narrow base image and pin versions deliberately so rebuilds do not change underneath you without review.
base imagetagssupply chain - 03
Layer cache and dependency order
Order Dockerfile instructions so dependency layers are reused when source files change.
cachelayersdependencies - 04
Multi-stage builds
Separate build tooling from the final runtime image so production containers contain only what they need to run.
multi-stageruntimeimage size - 05
COPY, ADD, and WORKDIR
Use WORKDIR and COPY intentionally so filesystem paths are clear and remote side effects are not hidden in ADD.
copyaddworkdir - 06
Non-root users and permissions
Run application processes as a non-root user and make file ownership match the runtime user.
securityuserpermissions - 07
ARG, ENV, and secrets
Separate build-time arguments, runtime environment variables, and secrets so sensitive values are not baked into images.
secretsenvarg - 08
ENTRYPOINT, CMD, and signals
Use exec-form commands and keep startup wrappers signal-safe so containers stop gracefully.
entrypointcmdsignals - 09
Healthchecks and runtime config
Describe runtime health and configuration explicitly so operators can tell whether the container is ready and healthy.
healthcheckruntimeoperations - 10
Compose services, volumes, and networks
Use Compose to define service boundaries, persistent volumes, and internal networks without overexposing ports or state.
composevolumesnetworks
Related tracks
Keep learning inside the same language family.