website-enchun-mgr/.opencode/skills/docker-optimizer/SKILL.md

---
name: docker-optimizer
description: Reviews Dockerfiles for best practices, security issues, and image size optimizations including multi-stage builds and layer caching. Use when working with Docker, containers, or deployment.
allowed-tools: Read, Grep, Glob, Write, Edit
---

# Docker Optimizer

Analyzes and optimizes Dockerfiles for performance, security, and best practices.

## When to Use
- User working with Docker or containers
- Dockerfile optimization needed
- Container image too large
- User mentions "Docker", "container", "image size", or "deployment"

## Instructions

### 1. Find Dockerfiles

Search for: `Dockerfile`, `Dockerfile.*`, `*.dockerfile`

### 2. Check Best Practices

**Use specific base image versions:**
```dockerfile
# Bad
FROM node:latest

# Good
FROM node:18-alpine
```

**Minimize layers:**
```dockerfile
# Bad
RUN apt-get update
RUN apt-get install -y curl
RUN apt-get install -y git

# Good
RUN apt-get update && \
    apt-get install -y curl git && \
    rm -rf /var/lib/apt/lists/*
```

**Order instructions by change frequency:**
```dockerfile
# Dependencies change less than code
COPY package*.json ./
RUN npm install
COPY . .
```

**Use .dockerignore:**
```
node_modules
.git
.env
*.md
```

### 3. Multi-Stage Builds

Reduce final image size:

```dockerfile
# Build stage
FROM node:18 AS build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build

# Production stage
FROM node:18-alpine
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
CMD ["node", "dist/index.js"]
```

### 4. Security Issues

**Don't run as root:**
```dockerfile
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
```

**No secrets in image:**
```dockerfile
# Bad: Hardcoded secret
ENV API_KEY=secret123

# Good: Use build args or runtime env
ARG BUILD_ENV
ENV NODE_ENV=${BUILD_ENV}
```

**Scan for vulnerabilities:**
```bash
docker scan image:tag
trivy image image:tag
```

### 5. Size Optimization

**Use Alpine images:**
- `node:18-alpine` vs `node:18` (900MB → 170MB)
- `python:3.11-alpine` vs `python:3.11` (900MB → 50MB)

**Remove unnecessary files:**
```dockerfile
RUN npm install --production && \
    npm cache clean --force
```

**Use specific COPY:**
```dockerfile
# Bad: Copies everything
COPY . .

# Good: Copy only what's needed
COPY package*.json ./
COPY src ./src
```

### 6. Caching Strategy

Layer caching optimization:

```dockerfile
# Install dependencies first (cached if package.json unchanged)
COPY package*.json ./
RUN npm install

# Copy source (changes more frequently)
COPY . .
RUN npm run build
```

### 7. Health Checks

```dockerfile
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD node healthcheck.js
```

### 8. Generate Optimized Dockerfile

Provide improved version with:
- Multi-stage build
- Appropriate base image
- Security improvements
- Layer optimization
- Build caching
- .dockerignore file

### 9. Build Commands

**Efficient build:**
```bash
# Use BuildKit
DOCKER_BUILDKIT=1 docker build -t app:latest .

# Build with cache from registry
docker build --cache-from myregistry/app:latest -t app:latest .
```

### 10. Dockerfile Checklist

- [ ] Specific base image tag (not `latest`)
- [ ] Multi-stage build if applicable
- [ ] Non-root user
- [ ] Minimal layers (combined RUN commands)
- [ ] .dockerignore present
- [ ] No secrets in image
- [ ] Proper layer ordering for caching
- [ ] Alpine or slim variant used
- [ ] Cleanup in same RUN layer
- [ ] HEALTHCHECK defined

## Security Best Practices

- Scan images regularly
- Use official base images
- Keep base images updated
- Minimize attack surface (fewer packages)
- Run as non-root user
- Use read-only filesystem where possible

## Supporting Files
- `templates/Dockerfile.optimized`: Optimized multi-stage Dockerfile example
- `templates/.dockerignore`: Common .dockerignore patterns