name	docker-optimizer
description	Reviews Dockerfiles for best practices, security issues, and image size optimizations including multi-stage builds and layer caching. Use when working with Docker, containers, or deployment.
allowed-tools	Read, Grep, Glob, Write, Edit

Docker Optimizer

Analyzes and optimizes Dockerfiles for performance, security, and best practices.

When to Use

User working with Docker or containers
Dockerfile optimization needed
Container image too large
User mentions "Docker", "container", "image size", or "deployment"

Instructions

1. Find Dockerfiles

Search for: Dockerfile, Dockerfile.*, *.dockerfile

2. Check Best Practices

Use specific base image versions:

# Bad
FROM node:latest

# Good
FROM node:18-alpine

Minimize layers:

# Bad
RUN apt-get update
RUN apt-get install -y curl
RUN apt-get install -y git

# Good
RUN apt-get update && \
    apt-get install -y curl git && \
    rm -rf /var/lib/apt/lists/*

Order instructions by change frequency:

# Dependencies change less than code
COPY package*.json ./
RUN npm install
COPY . .

Use .dockerignore:

node_modules
.git
.env
*.md

3. Multi-Stage Builds

Reduce final image size:

# Build stage
FROM node:18 AS build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build

# Production stage
FROM node:18-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
CMD ["node", "dist/index.js"]

4. Security Issues

Don't run as root:

RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser

No secrets in image:

# Bad: Hardcoded secret
ENV API_KEY=secret123

# Good: Use build args or runtime env
ARG BUILD_ENV
ENV NODE_ENV=${BUILD_ENV}

Scan for vulnerabilities:

docker scan image:tag
trivy image image:tag

5. Size Optimization

Use Alpine images:

node:18-alpine vs node:18 (900MB → 170MB)
python:3.11-alpine vs python:3.11 (900MB → 50MB)

Remove unnecessary files:

RUN npm install --production && \
    npm cache clean --force

Use specific COPY:

# Bad: Copies everything
COPY . .

# Good: Copy only what's needed
COPY package*.json ./
COPY src ./src

6. Caching Strategy

Layer caching optimization:

# Install dependencies first (cached if package.json unchanged)
COPY package*.json ./
RUN npm install

# Copy source (changes more frequently)
COPY . .
RUN npm run build

7. Health Checks

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD node healthcheck.js

8. Generate Optimized Dockerfile

Provide improved version with:

Multi-stage build
Appropriate base image
Security improvements
Layer optimization
Build caching
.dockerignore file

9. Build Commands

Efficient build:

# Use BuildKit
DOCKER_BUILDKIT=1 docker build -t app:latest .

# Build with cache from registry
docker build --cache-from myregistry/app:latest -t app:latest .

10. Dockerfile Checklist

Specific base image tag (not latest)
Multi-stage build if applicable
Non-root user
Minimal layers (combined RUN commands)
.dockerignore present
No secrets in image
Proper layer ordering for caching
Alpine or slim variant used
Cleanup in same RUN layer
HEALTHCHECK defined

Security Best Practices

Scan images regularly
Use official base images
Keep base images updated
Minimize attack surface (fewer packages)
Run as non-root user
Use read-only filesystem where possible

Supporting Files

templates/Dockerfile.optimized: Optimized multi-stage Dockerfile example
templates/.dockerignore: Common .dockerignore patterns

docker-optimizer

Install Skill

SKILL.md