/configure:dockerfile Skill

/configure:dockerfile

Check and configure Dockerfile against project standards with emphasis on minimal images, non-root users, and multi-stage builds.

When to Use This Skill

| Use this skill when... | Use another approach when... | |------------------------|------------------------------| | Checking Dockerfile compliance with standards | Just viewing Dockerfile (use Read tool) | | Creating Dockerfile from template | Dockerfile already follows all standards | | Validating image size, security, multi-stage builds | Need container runtime config (use /configure:container) | | Setting up minimal Alpine/slim-based images | Project uses specialized base images (custom requirements) | | Ensuring non-root user configuration | Debugging container issues (check logs, inspect runtime) |

Context

Dockerfiles: !find . -maxdepth 1 \( -name 'Dockerfile' -o -name 'Dockerfile.*' -o -name '*.Dockerfile' \)
Dockerignore: !find . -maxdepth 1 -name \'.dockerignore\'
Project type: !find . -maxdepth 1 \( -name 'package.json' -o -name 'pyproject.toml' -o -name 'Cargo.toml' -o -name 'go.mod' \) -print -quit
Base images: !grep -hm5 '^FROM' Dockerfile Dockerfile.* *.Dockerfile

Parameters

Parse from command arguments:

--check-only: Report compliance status without modifications
--fix: Apply fixes automatically without prompting
--type <type>: Override project type detection (frontend, python, go, rust)

Execution

Execute this Dockerfile compliance check:

Step 1: Detect project type and Dockerfiles

Find Dockerfile(s) in project root
Detect project type from context (package.json, pyproject.toml, go.mod, Cargo.toml)
Parse Dockerfile to analyze current configuration
Apply --type override if provided

Step 2: Verify latest base image versions

Before flagging outdated base images, use WebSearch or WebFetch to verify latest versions:

Node.js Alpine: Check Docker Hub for latest LTS Alpine tags
Python slim: Check Docker Hub for latest slim tags
nginx Alpine: Check Docker Hub for latest Alpine tags
Go Alpine: Check Docker Hub for latest Alpine tags
Rust Alpine: Check Docker Hub for latest Alpine tags

Step 3: Analyze compliance

Check the Dockerfile against these standards:

Frontend (Node.js) Standards:

| Check | Standard | Severity | |-------|----------|----------| | Build base | node:22-alpine (LTS) | WARN if other | | Runtime base | nginx:1.27-alpine | WARN if other | | Multi-stage | Required | FAIL if missing | | HEALTHCHECK | Required | FAIL if missing | | Non-root user | Required | FAIL if missing | | Build caching | --mount=type=cache recommended | INFO | | OCI Labels | Required for GHCR integration | WARN if missing |

Python Service Standards:

| Check | Standard | Severity | |-------|----------|----------| | Base image | python:3.12-slim | WARN if other | | Multi-stage | Required for production | FAIL if missing | | HEALTHCHECK | Required | FAIL if missing | | Non-root user | Required | FAIL if missing | | OCI Labels | Required for GHCR integration | WARN if missing |

OCI Container Labels:

| Label | Purpose | Severity | |-------|---------|----------| | org.opencontainers.image.source | Links to repository | WARN if missing | | org.opencontainers.image.description | Package description | WARN if missing | | org.opencontainers.image.licenses | SPDX license identifier | WARN if missing | | org.opencontainers.image.version | Semantic version (via ARG) | INFO if missing | | org.opencontainers.image.revision | Git commit SHA (via ARG) | INFO if missing |

Step 4: Report results

Print a compliance report:

Dockerfile Compliance Report
================================
Project Type: <type> (detected)
Dockerfile: ./Dockerfile (found)

Configuration Checks:
  Build base      <image>           [PASS|WARN]
  Runtime base    <image>           [PASS|WARN]
  Multi-stage     <N> stages        [PASS|FAIL]
  HEALTHCHECK     <present|missing> [PASS|FAIL]
  Non-root user   <present|missing> [PASS|FAIL]
  Build caching   <enabled|missing> [PASS|INFO]

OCI Labels Checks:
  image.source       <present|missing> [PASS|WARN]
  image.description  <present|missing> [PASS|WARN]
  image.licenses     <present|missing> [PASS|WARN]

Recommendations:
  <list specific fixes needed>

If --check-only, stop here.

Step 5: Apply fixes (if requested)

If --fix flag is set or user confirms:

Missing Dockerfile: Create from standard template (see Standard Templates below)
Missing HEALTHCHECK: Add standard healthcheck
Missing multi-stage: Suggest restructure (manual fix needed)
Outdated base images: Update FROM lines
Missing OCI labels: Add LABEL instructions

Step 6: Update standards tracking

Update .project-standards.yaml:

components:
  dockerfile: "2025.1"

Standard Templates

Frontend (Node/Vite/nginx)

FROM node:22-alpine AS build

ARG SENTRY_AUTH_TOKEN
ARG VITE_SENTRY_DSN

WORKDIR /app

COPY package*.json ./
RUN --mount=type=cache,target=/root/.npm npm ci

COPY . .
RUN --mount=type=cache,target=/root/.npm \
    --mount=type=cache,target=/app/node_modules/.vite \
    npm run build

FROM nginx:1.27-alpine

# OCI labels for GHCR integration
LABEL org.opencontainers.image.source="https://github.com/OWNER/REPO" \
      org.opencontainers.image.description="Production frontend application" \
      org.opencontainers.image.licenses="MIT" \
      org.opencontainers.image.vendor="Your Organization"

# Dynamic labels via build args
ARG VERSION=dev
ARG BUILD_DATE
ARG VCS_REF
LABEL org.opencontainers.image.version="${VERSION}" \
      org.opencontainers.image.created="${BUILD_DATE}" \
      org.opencontainers.image.revision="${VCS_REF}"

COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx/default.conf.template /etc/nginx/templates/

EXPOSE 80

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost/health || exit 1

Python Service

FROM python:3.12-slim AS builder

WORKDIR /app
COPY pyproject.toml uv.lock ./
RUN pip install uv && uv sync --frozen --no-dev

FROM python:3.12-slim

# OCI labels for GHCR integration
LABEL org.opencontainers.image.source="https://github.com/OWNER/REPO" \
      org.opencontainers.image.description="Production Python API server" \
      org.opencontainers.image.licenses="MIT" \
      org.opencontainers.image.vendor="Your Organization"

ARG VERSION=dev
ARG BUILD_DATE
ARG VCS_REF
LABEL org.opencontainers.image.version="${VERSION}" \
      org.opencontainers.image.created="${BUILD_DATE}" \
      org.opencontainers.image.revision="${VCS_REF}"

RUN useradd --create-home appuser
USER appuser
WORKDIR /app

COPY --from=builder /app/.venv /app/.venv
COPY --chown=appuser:appuser . .

ENV PATH="/app/.venv/bin:$PATH"
EXPOSE 8000

HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
  CMD curl -f http://localhost:8000/health || exit 1

CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

Agentic Optimizations

| Context | Command | |---------|---------| | Check Dockerfile exists | find . -maxdepth 1 \( -name 'Dockerfile' -o -name 'Dockerfile.*' \) 2>/dev/null | | Validate multi-stage build | grep -c '^FROM' Dockerfile 2>/dev/null | | Check for non-root user | grep -E '^USER [^root]' Dockerfile 2>/dev/null | | Check base image | grep '^FROM' Dockerfile \| head -1 | | Quick compliance check | /configure:dockerfile --check-only | | Auto-fix issues | /configure:dockerfile --fix |

Flags

| Flag | Description | |------|-------------| | --check-only | Report status without offering fixes | | --fix | Apply fixes automatically | | --type <type> | Override project type (frontend, python) |

Notes

Node 22 is current LTS (recommended over 24)
nginx:1.27-alpine preferred over debian variant
HEALTHCHECK is critical for Kubernetes liveness probes
Build caching significantly improves CI/CD speed
Non-root user is mandatory for production containers

Agent Skills: /configure:dockerfile

Install this agent skill to your local

Skill Files