메뉴
Build, run, and secure Docker containers with current best practices. Use for Dockerfile review, multi-stage builds, Compose orchestration, image hardening, and CI/CD integration.
Daily research agent for
Weekly research agent for
Daily research agent for
Operate GitHub repositories, workflows, and PRs efficiently. Use for Actions optimization, PR hygiene, repo maintenance, and team collaboration patterns.
Deploy, manage, and troubleshoot Kubernetes workloads. Use for manifest review, Helm chart validation, resource tuning, RBAC, and cluster operations.
Design and operate application observability with metrics, logs, traces, and alerts. Use for SLO definition, dashboard design, on-call runbooks, and incident response.
| name | docker |
| description | Build, run, and secure Docker containers with current best practices. Use for Dockerfile review, multi-stage builds, Compose orchestration, image hardening, and CI/CD integration. |
| disable-model-invocation | true |
docker --version # Engine version
docker compose version # Compose plugin version
docker buildx version # BuildKit/buildx version
Check the Docker Engine release notes for the latest stable.
HEALTHCHECK.alpine, slim, distroless)latest tag — pinned to specific digest or versionWORKDIR is set before file operationsCOPY uses specific files, not COPY . . where possibleUSER directive or --user at runtime)EXPOSE documents only necessary portsHEALTHCHECK is definedapt-get cleaned, no dev tools in runtime)docker scout or Trivy.dockerignore exists and excludes: .git, node_modules, *.log, .envRUN commands combined where logical (but not excessively long)DOCKER_BUILDKIT=1 or default in modern Docker)# syntax=docker/dockerfile:1
FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json .
RUN npm ci --only=production
FROM node:22-alpine AS runtime
RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
WORKDIR /app
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --chown=nodejs:nodejs . .
USER nodejs
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD node -e "require('http').get('http://localhost:3000/health', (r) => r.statusCode === 200 ? process.exit(0) : process.exit(1))"
CMD ["node", "server.js"]
# docker-compose.yml — production baseline
services:
app:
build: .
restart: unless-stopped
deploy:
resources:
limits:
cpus: '1.0'
memory: 512M
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
interval: 30s
timeout: 3s
retries: 3
# docker-compose.override.yml — development only
services:
app:
volumes:
- .:/app
environment:
- NODE_ENV=development
command: npm run dev
docker compose config # validate and merge
docker compose config --profiles # check profile separation
# Docker Scout (built-in, requires login)
docker scout quickview myimage:latest
docker scout cves myimage:latest
# Trivy (open source)
trivy image myimage:latest
trivy filesystem .
# Snyk
snyk container test myimage:latest
| Anti-Pattern | Why It's Wrong | Fix |
|---|---|---|
FROM node:latest | Non-reproducible builds, surprise updates | Pin to node:22-alpine or digest |
| Running as root | Container escape = host compromise | USER directive + file ownership |
COPY . . without .dockerignore | Bloats image, leaks secrets | Explicit .dockerignore |
apt-get update && apt-get install without cleanup | Bloated layers | && rm -rf /var/lib/apt/lists/* |
| No healthcheck | Orchestrator can't detect failure | HEALTHCHECK in Dockerfile or compose |
| Secrets in ENV | Visible in docker inspect | BuildKit secrets or runtime mounts |
| Single-stage build | Large attack surface, slow deploys | Multi-stage: build → runtime |
# .github/workflows/docker.yml
- name: Build and scan
run: |
docker build -t app:${{ github.sha }} .
docker scout cves app:${{ github.sha }} --exit-code --only-severity critical,high
docker run --rm app:${{ github.sha }} npm test
docker build --no-cache to isolatedive myimage:latest to analyze layer bloatCMD/ENTRYPOINT and logs (docker logs)USER directive and file ownership in COPY --chowndocker exec