Stats
Actions
Tags
From cogni-ai-dev-ops
Write, review, and optimize Dockerfiles applying multi-stage builds, non-root constraints, layer caching, and strict image pinning.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cogni-ai-dev-ops:dockerfileThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
<!-- markdownlint-disable MD013 MD023 MD031 MD032 -->
Create and maintain highly optimized, secure, and minimal Dockerfiles. Focus on strict deterministic builds, security compliance, and caching efficiency.
Dockerfile for a new or existing service.Dockerfile for security compliance (e.g., non-root users, pinned bases).devcontainer.json without custom Dockerfiles.docker or docker-compose instead).COPY or ENV to handle build secrets instead of the secure --mount=type=secret directive.USER nonroot but forgetting to chown the files copied from the builder stage, leading to permission denied errors at runtime.COPY . .) before slow, static instructions (like npm install), destroying layer cache efficiency on every code change.alpine, distroless) with precise version tags or SHA256 pinning.package.json, go.mod) first, install dependencies, then COPY source code to maximize cache hits.RUN commands with && and clear package manager caches within the same layer.USER before ENTRYPOINT or CMD.latest tags to prevent build drift and ensure reproducible environments.exec JSON array form for ENTRYPOINT and CMD (e.g., ["node", "app.js"]) instead of shell form to allow graceful termination (SIGTERM).Minimal Multi-Stage Pattern:
# Use specific version and digest for deterministic builds
FROM golang:1.24.0-alpine3.21@sha256:e74d913cc537f546b946e685c84a98598ba93b4de1f762d0c353a4261a1d1052 AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Force static build by disabling CGO and stripping symbols
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /server .
# Use a digest-pinned nonroot distroless base for maximum security
FROM gcr.io/distroless/static-debian12:nonroot@sha256:e906328329624536768a49c9527ec3c3068e14e1a0b3554e2043697e88457e5e
COPY --from=builder /server /server
USER nonroot:nonroot
EXPOSE 8080
ENTRYPOINT ["/server"]
Deterministic Package Installation:
RUN apt-get update && \
apt-get install -y --no-install-recommends \
curl=7.88.1-10+deb12u8 \
jq=1.6-2.1 && \
rm -rf /var/lib/apt/lists/*
Discovering Real-World Usage:
Use gh search to surface advanced Dockerfile patterns and community best practices directly from GitHub:
AS keyword):
gh search code "FROM" "AS" --language dockerfile --limit 5 --json repository,path,urlgh search repos "Dockerfile best practices" --sort stars --order desc --limit 5 --json fullName,description,urldocker history <image> or use dive. Watch for orphaned cache files.COPY . . is positioned as late as possible. A single modified source file busts the cache for all subsequent steps.WORKDIR, copied artifacts, and runtime directories. Crucial: Ownership must be fixed in the final image stage (e.g., using COPY --chown or RUN chown before switching to USER), as permissions set in builder stages do not persist for files copied to the final runtime image. Distroless images may require fixing ownership in the builder if the final image lacks shell tools, or ideally using COPY --chown.USER directive in a production image.ENTRYPOINT npm start. Using shell form spawns a /bin/sh wrapper, breaking signal propagation.gcc, make, or similar tools in the final image.ENV or COPY. Use --mount=type=secret during build or inject at runtime.npx claudepluginhub cogni-ai-ou/cogni-ai-agentic-collections --plugin cogni-ai-dev-opsGuides creation, editing, and verification of skills for AI coding agents using test-driven development with subagent scenarios. Use when authoring or debugging skills.