- Use specific image tags instead of “latest”
- Combine RUN commands with &&. Do not run multiple RUN command. It makes it lighter
- Use multi-stage builds. Do not include everything in Dev in Prod
- Don’t run as root. Preferably, create a user only for docker
RUN groupadd -r tom && useradd -g tom tom
RUN chown -R tom:tom /app
USER tom
CMD node index.js
- Scan images for vulnerability regularly. You can use docker.scout
- Use caching logically. Don’t put changes in the top of the file. Put them to bottom, so everything else in the top can stay untouched and used from cache
- Use .dockerignore
.dockerignore
It is a file you create in the folder that you specify files/folder you want to ignore. This way, build doesn’t include these files in the build context (which is a temporary tar file that docker daemon creates)
.git
.cache
*.md
private.key- Add a HEALTHCHECK instruction to the Dockerfile