Docker Optimizer
Analyzes and optimizes Dockerfiles for performance, security, and best practices.
When to Use
- User working with Docker or containers
- Dockerfile optimization needed
- Container image too large
- User mentions "Docker", "container", "image size", or "deployment"
Instructions
1. Find Dockerfiles
Search for: Dockerfile, Dockerfile.*, *.dockerfile
2. Check Best Practices
Use specific base image versions:
# Bad
FROM node:latest
# Good
FROM node:18-alpine
Minimize layers:
# Bad
RUN apt-get update
RUN apt-get install -y curl
RUN apt-get install -y git
# Good
RUN apt-get update && \
apt-get install -y curl git && \
rm -rf /var/lib/apt/lists/*
Order instructions by change frequency:
# Dependencies change less than code
COPY package*.json ./
RUN npm install
COPY . .
Use .dockerignore:
node_modules
.git
.env
*.md
3. Multi-Stage Builds
Reduce final image size:
# Build stage
FROM node:18 AS build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build
# Production stage
FROM node:18-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
CMD ["node", "dist/index.js"]
4. Security Issues
Don't run as root:
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
No secrets in image:
# Bad: Hardcoded secret
ENV API_KEY=secret123
# Good: Use build args or runtime env
ARG BUILD_ENV
ENV NODE_ENV=${BUILD_ENV}
Scan for vulnerabilities:
docker scan image:tag
trivy image image:tag
5. Size Optimization
Use Alpine images:
node:18-alpinevsnode:18(900MB → 170MB)python:3.11-alpinevspython:3.11(900MB → 50MB)
Remove unnecessary files:
RUN npm install --production && \
npm cache clean --force
Use specific COPY:
# Bad: Copies everything
COPY . .
# Good: Copy only what's needed
COPY package*.json ./
COPY src ./src
6. Caching Strategy
Layer caching optimization:
# Install dependencies first (cached if package.json unchanged)
COPY package*.json ./
RUN npm install
# Copy source (changes more frequently)
COPY . .
RUN npm run build
7. Health Checks
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD node healthcheck.js
8. Generate Optimized Dockerfile
Provide improved version with:
- Multi-stage build
- Appropriate base image
- Security improvements
- Layer optimization
- Build caching
- .dockerignore file
9. Build Commands
Efficient build:
# Use BuildKit
DOCKER_BUILDKIT=1 docker build -t app:latest .
# Build with cache from registry
docker build --cache-from myregistry/app:latest -t app:latest .
10. Dockerfile Checklist
- [ ] Specific base image tag (not
latest) - [ ] Multi-stage build if applicable
- [ ] Non-root user
- [ ] Minimal layers (combined RUN commands)
- [ ] .dockerignore present
- [ ] No secrets in image
- [ ] Proper layer ordering for caching
- [ ] Alpine or slim variant used
- [ ] Cleanup in same RUN layer
- [ ] HEALTHCHECK defined
Security Best Practices
- Scan images regularly
- Use official base images
- Keep base images updated
- Minimize attack surface (fewer packages)
- Run as non-root user
- Use read-only filesystem where possible
Supporting Files
templates/Dockerfile.optimized: Optimized multi-stage Dockerfile exampletemplates/.dockerignore: Common .dockerignore patterns