/configure:dockerfile

Check and configure Dockerfile against project standards with emphasis on

minimal images

,

non-root users

, and

multi-stage builds

.

When to Use This Skill

Use this skill when...

Use another approach when...

Checking Dockerfile compliance with standards

Just viewing Dockerfile (use Read tool)

Creating Dockerfile from template

Dockerfile already follows all standards

Validating image size, security, multi-stage builds

Need container runtime config (use

/configure:container

)

Setting up minimal Alpine/slim-based images

Project uses specialized base images (custom requirements)

Ensuring non-root user configuration

Debugging container issues (check logs, inspect runtime)

Context

Dockerfiles: !

find . -maxdepth 1 ( -name 'Dockerfile' -o -name 'Dockerfile.' -o -name '.Dockerfile' )

Dockerignore: !

find . -maxdepth 1 -name \'.dockerignore\'

Project type: !

find . -maxdepth 1 ( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' ) -print -quit

Base images: !

grep -hm5 '^FROM' Dockerfile Dockerfile. .Dockerfile

Parameters

Parse from command arguments:

--check-only

Report compliance status without modifications

--fix

Apply fixes automatically without prompting

--type

Override project type detection (frontend, python, go, rust)

Execution

Execute this Dockerfile compliance check:

Step 1: Detect project type and Dockerfiles

Find Dockerfile(s) in project root

Detect project type from context (package.json, pyproject.toml, go.mod, Cargo.toml)

Parse Dockerfile to analyze current configuration

Apply

--type

override if provided

Step 2: Verify latest base image versions

Before flagging outdated base images, use WebSearch or WebFetch to verify latest versions:

Node.js Alpine

Check Docker Hub for latest LTS Alpine tags

Python slim

Check Docker Hub for latest slim tags

nginx Alpine

Check Docker Hub for latest Alpine tags

Go Alpine

Check Docker Hub for latest Alpine tags

Rust Alpine

Check Docker Hub for latest Alpine tags

Step 3: Analyze compliance

Check the Dockerfile against these standards:

Frontend (Node.js) Standards:

Check

Standard

Severity

Build base

node:22-alpine

(LTS)

WARN if other

Runtime base

nginx:1.27-alpine

WARN if other

Multi-stage

Required

FAIL if missing

HEALTHCHECK

Required

FAIL if missing

Non-root user

Required

FAIL if missing

Build caching

--mount=type=cache

recommended

INFO

OCI Labels

Required for GHCR integration

WARN if missing

Python Service Standards:

Check

Standard

Severity

Base image

python:3.12-slim

WARN if other

Multi-stage

Required for production

FAIL if missing

HEALTHCHECK

Required

FAIL if missing

Non-root user

Required

FAIL if missing

OCI Labels

Required for GHCR integration

WARN if missing

OCI Container Labels:

Label

Purpose

Severity

org.opencontainers.image.source

Links to repository

WARN if missing

org.opencontainers.image.description

Package description

WARN if missing

org.opencontainers.image.licenses

SPDX license identifier

WARN if missing

org.opencontainers.image.version

Semantic version (via ARG)

INFO if missing

org.opencontainers.image.revision

Git commit SHA (via ARG)

INFO if missing

Step 4: Report results

Print a compliance report:

Dockerfile Compliance Report

================================

Project Type: (detected)

Dockerfile: ./Dockerfile (found)

Configuration Checks:

Build base [PASS|WARN]

Runtime base [PASS|WARN]

Multi-stage stages [PASS|FAIL]

HEALTHCHECK [PASS|FAIL]

Non-root user [PASS|FAIL]

Build caching [PASS|INFO]

OCI Labels Checks:

image.source [PASS|WARN]

image.description [PASS|WARN]

image.licenses [PASS|WARN]

Recommendations:

If

--check-only

, stop here.

Step 5: Apply fixes (if requested)

If

--fix

flag is set or user confirms:

Missing Dockerfile

Create from standard template (see Standard Templates below)

Missing HEALTHCHECK

Add standard healthcheck

Missing multi-stage

Suggest restructure (manual fix needed)

Outdated base images

Update FROM lines

Missing OCI labels

Add LABEL instructions Step 6: Update standards tracking Update .project-standards.yaml : components : dockerfile : "2025.1" Standard Templates Frontend (Node/Vite/nginx) FROM node:22-alpine AS build ARG SENTRY_AUTH_TOKEN ARG VITE_SENTRY_DSN WORKDIR /app COPY package*.json ./ RUN --mount = type=cache,target=/root/.npm npm ci COPY . . RUN --mount = type=cache,target=/root/.npm \ --mount = type=cache,target=/app/node_modules/.vite \ npm run build FROM nginx:1.27-alpine

OCI labels for GHCR integration

LABEL org.opencontainers.image.source= "https://github.com/OWNER/REPO" \ org.opencontainers.image.description= "Production frontend application" \ org.opencontainers.image.licenses= "MIT" \ org.opencontainers.image.vendor= "Your Organization"

Dynamic labels via build args

ARG VERSION=dev ARG BUILD_DATE ARG VCS_REF LABEL org.opencontainers.image.version= "${VERSION}" \ org.opencontainers.image.created= "${BUILD_DATE}" \ org.opencontainers.image.revision= "${VCS_REF}" COPY --from = build /app/dist /usr/share/nginx/html COPY nginx/default.conf.template /etc/nginx/templates/ EXPOSE 80 HEALTHCHECK --interval = 30s --timeout = 3s --start-period = 5s --retries = 3 \ CMD wget --no-verbose --tries=1 --spider http://localhost/health || exit 1 Python Service FROM python:3.12-slim AS builder WORKDIR /app COPY pyproject.toml uv.lock ./ RUN pip install uv && uv sync --frozen --no-dev FROM python:3.12-slim

OCI labels for GHCR integration

LABEL org.opencontainers.image.source= "https://github.com/OWNER/REPO" \ org.opencontainers.image.description= "Production Python API server" \ org.opencontainers.image.licenses= "MIT" \ org.opencontainers.image.vendor= "Your Organization" ARG VERSION=dev ARG BUILD_DATE ARG VCS_REF LABEL org.opencontainers.image.version= "${VERSION}" \ org.opencontainers.image.created= "${BUILD_DATE}" \ org.opencontainers.image.revision= "${VCS_REF}" RUN useradd --create-home appuser USER appuser WORKDIR /app COPY --from = builder /app/.venv /app/.venv COPY --chown = appuser:appuser . . ENV PATH= "/app/.venv/bin:$PATH" EXPOSE 8000 HEALTHCHECK --interval = 30s --timeout = 3s --start-period = 10s --retries = 3 \ CMD curl -f http://localhost:8000/health || exit 1 CMD [ "uvicorn" , "app.main:app" , "--host" , "0.0.0.0" , "--port" , "8000" ] Agentic Optimizations Context Command Check Dockerfile exists find . -maxdepth 1 ( -name 'Dockerfile' -o -name 'Dockerfile.*' ) 2>/dev/null Validate multi-stage build grep -c '^FROM' Dockerfile 2>/dev/null Check for non-root user grep -E '^USER [^root]' Dockerfile 2>/dev/null Check base image grep '^FROM' Dockerfile | head -1 Quick compliance check /configure:dockerfile --check-only Auto-fix issues /configure:dockerfile --fix Flags Flag Description --check-only Report status without offering fixes --fix Apply fixes automatically --type Override project type (frontend, python) Notes Node 22 is current LTS (recommended over 24) nginx:1.27-alpine preferred over debian variant HEALTHCHECK is critical for Kubernetes liveness probes Build caching significantly improves CI/CD speed Non-root user is mandatory for production containers See Also /configure:container - Comprehensive container infrastructure /configure:skaffold - Kubernetes development configuration /configure:all - Run all compliance checks container-development skill - Container best practices