Concept	Description
Build stage	A named `FROM` block that produces intermediate artifacts; only the final stage ships
Layer cache	Docker caches each instruction; reordering instructions keeps cache hits high

Concept	Description
Build stage	A named `FROM` block that produces intermediate artifacts; only the final stage ships
Layer cache	Docker caches each instruction; reordering instructions keeps cache hits high

Dockerfile Mastery · Loop · Loop

Base image	Compressed size	Use when
`node:22-alpine`	~50 MB	Default for most Node.js services
`node:22-slim`	~75 MB	Need glibc or native deps that fail on musl
`gcr.io/distroless/nodejs22`	~40 MB	Maximum security — no shell, no package manager
`scratch`	0 MB	Fully static binaries only

# syntax=docker/dockerfile:1

# ---- Stage 1: Dependencies ----
FROM node:22-alpine AS deps
WORKDIR /app

# Cache package manager files between builds (BuildKit cache mount)
COPY package.json pnpm-lock.yaml ./
RUN --mount=type=cache,id=pnpm-cache,target=/root/.pnpm-store \
    corepack enable pnpm && pnpm install --frozen-lockfile --prod=false

# If you need private registries, use build secrets (will not be in final layers)
# docker build --secret id=npmrc,src=$HOME/.npmrc .
# and in Dockerfile:
# RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \
#     npm ci --silent

# ---- Stage 2: Build ----
FROM node:22-alpine AS build
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .
ENV NEXT_TELEMETRY_DISABLED=1
RUN corepack enable pnpm && pnpm run build

# ---- Stage 3: Production runner ----
FROM node:22-alpine AS runner
WORKDIR /app
ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
RUN addgroup --system --gid 1001 appgroup && \
    adduser --system --uid 1001 appuser

COPY --from=build /app/public ./public
COPY --from=build --chown=appuser:appgroup /app/.next/standalone ./
COPY --from=build --chown=appuser:appgroup /app/.next/static ./.next/static

USER appuser
EXPOSE 3000
ENV PORT=3000 HOSTNAME="0.0.0.0"

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD wget --no-verbose --tries=1 --spider http://localhost:3000/ || exit 1

CMD ["node", "server.js"]

node_modules
.next
.git
.github
.vscode
.env*
*.md
!README.md
Dockerfile*
docker-compose*
.dockerignore
coverage
.turbo
dist
.cache
*.log

Strategy	Image size	Build time
Single-stage node:22	1.2 GB	90 s
Single-stage node:22-alpine	450 MB	85 s
Multi-stage node:22-alpine	180 MB	95 s
Multi-stage + standalone output	120 MB	95 s
Multi-stage + distroless	95 MB	100 s

# .github/workflows/docker-scan.yml
name: Docker Build & Scan
on:
  push:
    branches: [main]
  pull_request:

jobs:
  build-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build image
        uses: docker/build-push-action@v6
        with:
          context: .
          load: true
          tags: app:scan
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Run Trivy scan (pin the action)
        # Pin to the patched release to avoid the March 2026 supply-chain compromise
        uses: aquasecurity/trivy-action@v0.35.0
        with:
          image-ref: app:scan
          format: table
          exit-code: 1
          severity: CRITICAL,HIGH

      - name: Optional: Additional scanners (pin versions)
        # Example: Snyk, Clair, or commercial scanners — pin the action/version you use and keep an upgrade/update process
        run: echo "Run additional image scanners here"

Agent docs

4 attached

Codex — Dockerfile Mastery

Environment

Codex runs in a sandboxed environment with file I/O and shell access
Docker daemon may not be available — generate and validate Dockerfiles textually
Working directory is the project root
Network access may be restricted — prefer local validation over remote pulls

When this skill is active

Generate multi-stage Dockerfiles following the layer-ordering strategy in the skill body
Always include a .dockerignore when creating a new Dockerfile
Default to node:22-alpine unless native modules require node-slim
Add non-root USER and HEALTHCHECK to every production Dockerfile
Pin base images by digest for reproducible builds
Use BuildKit syntax header (# syntax=docker/dockerfile:1) in every Dockerfile
Separate dependency install from source copy for optimal caching

Tool usage

Use file write to create or update Dockerfile and .dockerignore
Use shell to run docker build --check if the daemon is available
Validate YAML CI configs with a dry-run parse when possible
Run hadolint Dockerfile to lint for Dockerfile best practices

Testing expectations

After generating a Dockerfile, verify it has: multi-stage, non-root user, HEALTHCHECK, no COPY of secrets
Run hadolint Dockerfile if available to lint for best practices
Confirm .dockerignore excludes node_modules, .git, .env*
Verify the final stage does not contain build toolchains or dev dependencies

Common failure modes

Alpine + native deps: detect sharp/canvas/bcrypt in package.json and switch to slim
Missing standalone copy: always copy public/ and .next/static for Next.js standalone
Cache busting: ensure lockfile COPY precedes full source COPY
COPY --from wrong stage name: double-check stage names match between FROM and COPY

Output format

Write Dockerfile and .dockerignore directly
Summarize image size strategy and security measures in the response
Include a before/after size comparison when optimizing an existing Dockerfile
Flag any detected CVE risk from base image choice

Activity

PausedMonday · 9:00 AM6 sources

Automation & run history

Automation status and run history. Only the owner can trigger runs or edit the schedule.

View automation desk

Next runtomorrow

ScheduleMonday · 9:00 AM

Runs this month4

Latest outcomev2

April 2026

Automation brief

Check Docker blog for BuildKit updates, new Dockerfile syntax directives, and multi-stage build improvements. Scan Trivy releases for image-scanning rule changes. Update Dockerfile templates, layer-caching strategies, and security-hardening patterns.

Latest refresh trace

Reasoning steps, source results, and the diff that landed.

Apr 6, 2026 · 9:05 AM

triggerAutomation

editoropenai/gpt-5-mini

duration117.6s

statussuccess

web searches4

sources discovered+2

Revision: v2

This revision clarifies BuildKit usage (syntax directive, cache and secret mounts), updates CI scanning guidance to pin Trivy action to the patched v0.35.0 and recommends verifying scanner provenance after the March 2026 Trivy supply-chain compromise. It also adds cache/secret examples and CI checklist to improve reproducible, secure builds.

- Added explicit guidance to use the Dockerfile syntax directive and pin docker/dockerfile frontend - Added concrete BuildKit examples: cache mounts (`--mount=type=cache`), secret mounts (`--mount=type=secret`), and SSH mounts - Updated CI example to pin aquasecurity/trivy-action@v0.35.0 and added guidance to avoid using `@master`/`@latest` - Added a CI security checklist and edge-case entry for the March 2026 Trivy compromise - Added sources for BuildKit and Trivy incident and recommended pinning/verification steps

Agent steps

Step 1Started scanning 4 sources.

Step 2Docker Blog: 10 fresh signals captured.

Step 3containerd Releases: No fresh signals found.

Step 4Trivy Releases: No fresh signals found.

Step 5GitHub Blog: 10 fresh signals captured.

Step 6Agent is rewriting the skill body from the fetched source deltas.

Step 7Agent discovered 2 new source(s): Docker Docs - BuildKit, Aqua Security Blog.

Step 8Agent used 4 web search(es).

Step 9v2 is live with body edits.

Sources

Docker Blogdone

10 fresh signals captured.

Defending Your Software Supply Chain: What Every Engineering Team Should Do Now Gemma 4 is Here: Now Available on Docker Hub Docker Offload now Generally Available: The Full Power of Docker, for Every Developer, Everywhere.

containerd Releasesdone

No fresh signals found.

Trivy Releasesdone

No fresh signals found.

GitHub Blogdone

10 fresh signals captured.

The uphill climb of making diff lines performant Securing the open source supply chain across GitHub Run multiple agents at once with /fleet in Copilot CLI

Diff preview

| Concept | Description |

|---------|-------------|

−| Build stage | A named \`FROM\` block that produces intermediate artifacts; only the final stage ships |

+| Build stage | A named `FROM` block that produces intermediate artifacts; only the final stage ships |

| Layer cache | Docker caches each instruction; reordering instructions keeps cache hits high |

−| .dockerignore | Excludes files from the build context to speed up \`COPY\` and reduce image size |

+| .dockerignore | Excludes files from the build context to speed up `COPY` and reduce image size |

| Distroless / slim | Minimal base images with no shell or package manager — smaller, fewer CVEs |

| BuildKit | Modern Docker build engine with parallel stage execution and improved caching, cache mounts, and build-time secrets |

−| BuildKit | Modern Docker build engine with parallel stage execution and better caching |

| Dockerfile frontend (syntax) | BuildKit supports external Dockerfile frontends. Add a syntax directive (for example `# syntax=docker/dockerfile:1`) to pin or select the frontend image. Use the stable `docker/dockerfile:1` channel for feature updates or pin a specific immutable tag for reproducible builds (see Docker Docs). |

| HEALTHCHECK | Built-in instruction that lets Docker monitor container health |

| Multi-platform | Building for linux/amd64 and linux/arm64 from a single Dockerfile |

+Notes and sources:

+- Always use a syntax directive when relying on BuildKit-specific features (Docker Docs: Custom Dockerfile syntax).

- Prefer stable channel `docker/dockerfile:1` for small compatibility updates, or pin a precise immutable tag when strict reproducibility is required.

## Workflow

@@ −40 +45 @@

| Base image | Compressed size | Use when |

|------------|----------------|----------|

+| `node:22-alpine` | ~50 MB | Default for most Node.js services |

+| `node:22-slim` | ~75 MB | Need glibc or native deps that fail on musl |

+| `gcr.io/distroless/nodejs22` | ~40 MB | Maximum security — no shell, no package manager |

−| \`node:22-alpine\` | ~50 MB | Default for most Node.js services |

+| `scratch` | 0 MB | Fully static binaries only |

−| \`node:22-slim\` | ~75 MB | Need glibc or native deps that fail on musl |

−| \`gcr.io/distroless/nodejs22\` | ~40 MB | Maximum security — no shell, no package manager |

−| \`scratch\` | 0 MB | Fully static binaries only |

### Step 2: Structure the multi-stage build

@@ −59 +64 @@

3. Copy lockfile → install deps

4. Copy source → build

5. Copy build output into final stage

+### Step 4: Use BuildKit features to speed, secure, and shrink builds

- Add an explicit syntax directive at the top of Dockerfiles that use BuildKit-specific features: `# syntax=docker/dockerfile:1`.

- Use cache mounts to persist package-manager caches between builds and avoid re-downloading dependencies (`RUN --mount=type=cache,...`). See Docker Docs: Optimize cache usage in builds.

- Use secret mounts for build-time secrets instead of ARGs or ENV so secrets are not baked into layers (`RUN --mount=type=secret,id=npmrc ...`). See Docker Docs: Build secrets.

+- Use SSH mounts for fetching private repositories during the build (`RUN --mount=type=ssh ...`).

−### Step 4: Add security hardening

+### Step 5: Add security hardening

- Run as a non-root user

−- Drop all Linux capabilities

+- Drop Linux capabilities where supported by your runtime/orchestrator

- Set read-only filesystem where possible

- Pin base image digests for reproducibility

−### Step 5: Write a comprehensive .dockerignore

+### Step 6: CI and reproducible builds

- Use `docker buildx` and a shared external cache (registry or GitHub Actions cache) to get repeatable, fast builds across runners

+- Pin Dockerfile frontend and build tooling versions in CI

−Exclude everything that is not needed in the build context.

+- Pin scanner and action versions; do not use `@master` or `@latest` for security-sensitive tools

## Examples

−### Example 1: Production Next.js multi-stage Dockerfile

+### Example 1: Production Next.js multi-stage Dockerfile (BuildKit primitives)

−\`\`\`dockerfile

+```dockerfile

# syntax=docker/dockerfile:1

# ---- Stage 1: Dependencies ----

FROM node:22-alpine AS deps

WORKDIR /app

+# Cache package manager files between builds (BuildKit cache mount)

COPY package.json pnpm-lock.yaml ./

+RUN --mount=type=cache,id=pnpm-cache,target=/root/.pnpm-store \

+ corepack enable pnpm && pnpm install --frozen-lockfile --prod=false

+# If you need private registries, use build secrets (will not be in final layers)

+# docker build --secret id=npmrc,src=$HOME/.npmrc .

+# and in Dockerfile:

+# RUN --mount=type=secret,id=npmrc,target=/root/.npmrc \

Su	Mo	Tu	We	Th	Fr	Sa

Content

Dockerfile Mastery

When to use

When NOT to use

Core concepts

Content

Dockerfile Mastery

When to use

When NOT to use

Core concepts

Workflow

Step 1: Choose a base image strategy

Step 2: Structure the multi-stage build

Step 3: Optimize layer ordering

Step 4: Use BuildKit features to speed, secure, and shrink builds

Step 5: Add security hardening

Step 6: CI and reproducible builds

Examples

Example 1: Production Next.js multi-stage Dockerfile (BuildKit primitives)

Example 2: .dockerignore template

Example 3: Size optimization comparison

Example 4: CI security scanning workflow (updated)

Decision tree

Edge cases and gotchas

CI security checklist (added)

Evaluation criteria