Track
Docker
Review build contexts, base images, cache layers, multi-stage builds, secrets, users, healthchecks, and Compose files.
- 01
Build context and .dockerignore
Keep the Docker build context small and intentional so builds are faster, safer, and easier to reproduce.
build contextdockerignoresecurity - 02
Base images and tag pinning
Choose a narrow base image and pin versions deliberately so rebuilds do not change underneath you without review.
base imagetagssupply chain - 03
Layer cache and dependency order
Order Dockerfile instructions so dependency layers are reused when source files change.
cachelayersdependencies - 04
Multi-stage builds
Separate build tooling from the final runtime image so production containers contain only what they need to run.
multi-stageruntimeimage size - 05
COPY, ADD, and WORKDIR
Use WORKDIR and COPY intentionally so filesystem paths are clear and remote side effects are not hidden in ADD.
copyaddworkdir - 06
Non-root users and permissions
Run application processes as a non-root user and make file ownership match the runtime user.
securityuserpermissions - 07
ARG, ENV, and secrets
Separate build-time arguments, runtime environment variables, and secrets so sensitive values are not baked into images.
secretsenvarg - 08
ENTRYPOINT, CMD, and signals
Use exec-form commands and keep startup wrappers signal-safe so containers stop gracefully.
entrypointcmdsignals - 09
Healthchecks and runtime config
Describe runtime health and configuration explicitly so operators can tell whether the container is ready and healthy.
healthcheckruntimeoperations - 10
Compose services, volumes, and networks
Use Compose to define service boundaries, persistent volumes, and internal networks without overexposing ports or state.
composevolumesnetworks