Docker Best Practices

Name: Docker Best Practices
Author: josiahsiegel

josiahsiegel/claude-plugin-marketplace

Author lean, secure, production-ready Docker images and local Compose stacks with caching, health checks, and non-root defaults.

Overview

Docker Best Practices is an agent skill most often used in Ship (also Build backend, Operate infra) that guides solo builders through production Dockerfiles, image slimming, health checks, and Compose-based local stacks.

Install

npx skills add https://github.com/josiahsiegel/claude-plugin-marketplace --skill docker-best-practices

What is this skill?

Proactive coverage for 10 Dockerfile scenarios: multi-stage builds, base image choice, caching, HEALTHCHECK, secrets, an
Language-oriented Dockerfile templates plus image-size optimization checklist
.dockerignore template and ENV vs ARG guidance for reproducible builds
Non-root user, graceful shutdown, and digest/tag pinning patterns for production
Windows-specific path rule: backslashes for Edit/Write `file_path` on Windows hosts
10 proactive Dockerfile and deployment scenarios listed in skill description

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 731 installs on skills.sh; 42 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your container images are bloated, cached poorly, run as root, and lack health checks or pinned digests for reliable deploys.

Who is it for?

Indie hackers dockerizing APIs, workers, or full-stack apps before Fly, Railway, ECS, or Kubernetes without reinventing hardening checklists.

Skip if: Pure local scripting with no containers, or teams that already enforce an org-wide golden Dockerfile enforced by CI policy.

When should I use this skill?

Writing production Dockerfiles, optimizing image size, configuring HEALTHCHECK/Compose, or selecting hardened base images.

What do I get? / Deliverables

You get production-oriented Dockerfile and Compose snippets with caching order, .dockerignore hygiene, non-root runtime, and HEALTHCHECK patterns ready for CI and hosting.

Production-oriented Dockerfile
.dockerignore file
Compose dev stack definition

Recommended Skills

Azure Kubernetesmicrosoft/azure-skills

Azure Kubernetes skill supplies fix patterns for AKS Automatic compatibility—adding resource requests, dropping capabili…204k installs·1.2k stars

Github Actions Docsxixu-me/skills

github-actions-docs is a research-oriented agent skill that stops generic CI/CD guesses when the user’s question is real…187k installs·61 stars

Deploy To Vercelvercel-labs/agent-skills

Deploy to Vercel is an agent skill from Vercel Labs that walks solo builders through shipping a project to Vercel with d…67.1k installs·27.7k stars

Vercel Cli With Tokensvercel-labs/agent-skills

Vercel CLI with Tokens is a Vercel Labs agent skill that teaches coding agents how to deploy and manage projects when in…47.2k installs·27.7k stars

Turborepovercel/turborepo

Turborepo Skill is procedural guidance for Vercel’s Turborepo build system on JavaScript and TypeScript monorepos. It ta…36k installs·30.5k stars

Docker Expertsickn33/antigravity-awesome-skills

Docker Expert is an agent skill that acts as a hands-on containerization consultant for solo and indie builders shipping…18.7k installs·40.1k stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Production image hardening and deploy hygiene are canonical Ship work even though Dockerfiles are often written earlier during Build. Launch prep covers repeatable container artifacts, tag pinning, and Compose dev stacks you ship beside the app.

Also useful

BuildBackend, data & payments

Also useful

OperateInfrastructure & cost

Where it fits

Example use

BuildBackend, data & payments

Scaffold a multi-stage Node Dockerfile while implementing the API service for the first time.

Example use

ShipCI/CD & deploy

Add HEALTHCHECK, non-root USER, and digest pinning before pushing images to production registry.

Example use

ShipSecurity

Audit ENV vs ARG usage and secret handling so build-time credentials never land in final layers.

Example use

OperateInfrastructure & cost

Tighten Compose for local repro and align shutdown signals with orchestrator expectations.

How it compares

Use instead of generic “Docker 101” chat answers when you need multi-stage slim images and production shutdown/health patterns in one workflow.

Common Questions / FAQ

Who is docker-best-practices for?

Solo and small-team builders shipping containerized backends, CLIs-as-services, or full-stack apps who own Dockerfile quality end to end.

When should I use docker-best-practices?

In Build when first containerizing; in Ship launch prep for multi-stage and HEALTHCHECK hardening; in Operate infra when revisiting tag pinning and Compose dev parity.

Is docker-best-practices safe to install?

Check the Security Audits panel on this Prism page and review the plugin source; the skill may instruct file edits and shell/docker commands in your repo.

SKILL.md

READMESKILL.md - Docker Best Practices

## 🚨 CRITICAL GUIDELINES

### Windows File Path Requirements

**MANDATORY: Always Use Backslashes on Windows for File Paths**

When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).

**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`

This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems


### Documentation Guidelines

**NEVER create new documentation files unless explicitly requested by the user.**

- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation


---

# Docker Best Practices

This skill provides current Docker best practices across all aspects of container development, deployment, and operation.

## Image Best Practices

### Base Image Selection

**2025 Recommended Hierarchy:**
1. **Wolfi/Chainguard** (`cgr.dev/chainguard/*`) - Zero-CVE goal, SBOM included
2. **Alpine** (`alpine:3.19`) - ~7MB, minimal attack surface
3. **Distroless** (`gcr.io/distroless/*`) - ~2MB, no shell
4. **Slim variants** (`node:20-slim`) - ~70MB, balanced

**Key rules:**
- Always specify exact version tags: `node:20.11.0-alpine3.19`
- Never use `latest` (unpredictable, breaks reproducibility)
- Use official images from trusted registries
- Match base image to actual needs

### Dockerfile Structure

**Optimal layer ordering** (least to most frequently changing):
```dockerfile
1. Base image and system dependencies
2. Application dependencies (package.json, requirements.txt, etc.)
3. Application code
4. Configuration and metadata
```

**Rationale:** Docker caches layers. If code changes but dependencies don't, cached dependency layers are reused, speeding up builds.

**Example:**
```dockerfile
FROM python:3.12-slim

# 1. System packages (rarely change)
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    && rm -rf /var/lib/apt/lists/*

# 2. Dependencies (change occasionally)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# 3. Application code (changes frequently)
COPY . /app
WORKDIR /app

CMD ["python", "app.py"]
```

### Multi-Stage Builds

Use multi-stage builds to separate build dependencies from runtime:

```dockerfile
# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine AS runtime
WORKDIR /app
# Only copy what's needed for runtime
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
CMD ["node", "dist/server.js"]
```

**Benefits:**
- Smaller final images (no build tools)
- Better security (fewer attack vectors)
- Faster deployment (smaller upload/download)

### Layer Optimization

**Combine commands** to reduce layers and image size:

```dockerfile
# Bad - 3 layers, cleanup doesn't reduce size
RUN apt-get update
RUN

What is this skill?

Proactive coverage for 10 Dockerfile scenarios: multi-stage builds, base image choice, caching, HEALTHCHECK, secrets, an

Language-oriented Dockerfile templates plus image-size optimization checklist

.dockerignore template and ENV vs ARG guidance for reproducible builds

Non-root user, graceful shutdown, and digest/tag pinning patterns for production

Windows-specific path rule: backslashes for Edit/Write `file_path` on Windows hosts

10 proactive Dockerfile and deployment scenarios listed in skill description

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 731 installs on skills.sh; 42 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildBackend, data & payments

Also useful

OperateInfrastructure & cost

Where it fits

Example use

BuildBackend, data & payments

Scaffold a multi-stage Node Dockerfile while implementing the API service for the first time.

Example use

ShipCI/CD & deploy

Add HEALTHCHECK, non-root USER, and digest pinning before pushing images to production registry.

Example use

ShipSecurity

Audit ENV vs ARG usage and secret handling so build-time credentials never land in final layers.

Example use

OperateInfrastructure & cost

Tighten Compose for local repro and align shutdown signals with orchestrator expectations.

SKILL.md

READMESKILL.md - Docker Best Practices

## 🚨 CRITICAL GUIDELINES

### Windows File Path Requirements

**MANDATORY: Always Use Backslashes on Windows for File Paths**

When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).

**Examples:**
- ❌ WRONG: `D:/repos/project/file.tsx`
- ✅ CORRECT: `D:\repos\project\file.tsx`

This applies to:
- Edit tool file_path parameter
- Write tool file_path parameter
- All file operations on Windows systems


### Documentation Guidelines

**NEVER create new documentation files unless explicitly requested by the user.**

- **Priority**: Update existing README.md files rather than creating new documentation
- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise
- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone
- **User preference**: Only create additional .md files when user specifically asks for documentation


---

# Docker Best Practices

This skill provides current Docker best practices across all aspects of container development, deployment, and operation.

## Image Best Practices

### Base Image Selection

**2025 Recommended Hierarchy:**
1. **Wolfi/Chainguard** (`cgr.dev/chainguard/*`) - Zero-CVE goal, SBOM included
2. **Alpine** (`alpine:3.19`) - ~7MB, minimal attack surface
3. **Distroless** (`gcr.io/distroless/*`) - ~2MB, no shell
4. **Slim variants** (`node:20-slim`) - ~70MB, balanced

**Key rules:**
- Always specify exact version tags: `node:20.11.0-alpine3.19`
- Never use `latest` (unpredictable, breaks reproducibility)
- Use official images from trusted registries
- Match base image to actual needs

### Dockerfile Structure

**Optimal layer ordering** (least to most frequently changing):
```dockerfile
1. Base image and system dependencies
2. Application dependencies (package.json, requirements.txt, etc.)
3. Application code
4. Configuration and metadata
```

**Rationale:** Docker caches layers. If code changes but dependencies don't, cached dependency layers are reused, speeding up builds.

**Example:**
```dockerfile
FROM python:3.12-slim

# 1. System packages (rarely change)
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    && rm -rf /var/lib/apt/lists/*

# 2. Dependencies (change occasionally)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# 3. Application code (changes frequently)
COPY . /app
WORKDIR /app

CMD ["python", "app.py"]
```

### Multi-Stage Builds

Use multi-stage builds to separate build dependencies from runtime:

```dockerfile
# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine AS runtime
WORKDIR /app
# Only copy what's needed for runtime
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
CMD ["node", "dist/server.js"]
```

**Benefits:**
- Smaller final images (no build tools)
- Better security (fewer attack vectors)
- Faster deployment (smaller upload/download)

### Layer Optimization

**Combine commands** to reduce layers and image size:

```dockerfile
# Bad - 3 layers, cleanup doesn't reduce size
RUN apt-get update
RUN

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is docker-best-practices for?

When should I use docker-best-practices?

Is docker-best-practices safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is docker-best-practices for?

When should I use docker-best-practices?

Is docker-best-practices safe to install?

SKILL.md