Docker Development
by @alirezarezvani
Docker and container development agent skill and plugin for Dockerfile optimization, docker-compose orchestration, multi-stage builds, and container security...
clawhub install docker-developmentπ About This Skill
name: "docker-development" description: "Docker and container development agent skill and plugin for Dockerfile optimization, docker-compose orchestration, multi-stage builds, and container security hardening. Use when: user wants to optimize a Dockerfile, create or improve docker-compose configurations, implement multi-stage builds, audit container security, reduce image size, or follow container best practices. Covers build performance, layer caching, secret management, and production-ready container patterns." license: MIT metadata: version: 1.0.0 author: Alireza Rezvani category: engineering updated: 2026-03-16
Docker Development
> Smaller images. Faster builds. Secure containers. No guesswork.
Opinionated Docker workflow that turns bloated Dockerfiles into production-grade containers. Covers optimization, multi-stage builds, compose orchestration, and security hardening.
Not a Docker tutorial β a set of concrete decisions about how to build containers that don't waste time, space, or attack surface.
Slash Commands
| Command | What it does |
|---------|-------------|
| /docker:optimize | Analyze and optimize a Dockerfile for size, speed, and layer caching |
| /docker:compose | Generate or improve docker-compose.yml with best practices |
| /docker:security | Audit a Dockerfile or running container for security issues |
When This Skill Activates
Recognize these patterns from the user:
If the user has a Dockerfile or wants to containerize something β this skill applies.
Workflow
/docker:optimize β Dockerfile Optimization
1. Analyze current state - Read the Dockerfile - Identify base image and its size - Count layers (each RUN/COPY/ADD = 1 layer) - Check for common anti-patterns
2. Apply optimization checklist
BASE IMAGE
βββ Use specific tags, never :latest in production
βββ Prefer slim/alpine variants (debian-slim > ubuntu > debian)
βββ Pin digest for reproducibility in CI: image@sha256:...
βββ Match base to runtime needs (don't use python:3.12 for a compiled binary) LAYER OPTIMIZATION
βββ Combine related RUN commands with && \
βββ Order layers: least-changing first (deps before source code)
βββ Clean package manager cache in the same RUN layer
βββ Use .dockerignore to exclude unnecessary files
βββ Separate build deps from runtime deps
BUILD CACHE
βββ COPY dependency files before source code (package.json, requirements.txt, go.mod)
βββ Install deps in a separate layer from code copy
βββ Use BuildKit cache mounts: --mount=type=cache,target=/root/.cache
βββ Avoid COPY . . before dependency installation
MULTI-STAGE BUILDS
βββ Stage 1: build (full SDK, build tools, dev deps)
βββ Stage 2: runtime (minimal base, only production artifacts)
βββ COPY --from=builder only what's needed
βββ Final image should have NO build tools, NO source code, NO dev deps
3. Generate optimized Dockerfile - Apply all relevant optimizations - Add inline comments explaining each decision - Report estimated size reduction
4. Validate
python3 scripts/dockerfile_analyzer.py Dockerfile
/docker:compose β Docker Compose Configuration
1. Identify services - Application (web, API, worker) - Database (postgres, mysql, redis, mongo) - Cache (redis, memcached) - Queue (rabbitmq, kafka) - Reverse proxy (nginx, traefik, caddy)
2. Apply compose best practices
SERVICES
βββ Use depends_on with condition: service_healthy
βββ Add healthchecks for every service
βββ Set resource limits (mem_limit, cpus)
βββ Use named volumes for persistent data
βββ Pin image versions NETWORKING
βββ Create explicit networks (don't rely on default)
βββ Separate frontend and backend networks
βββ Only expose ports that need external access
βββ Use internal: true for backend-only networks
ENVIRONMENT
βββ Use env_file for secrets, not inline environment
βββ Never commit .env files (add to .gitignore)
βββ Use variable substitution: ${VAR:-default}
βββ Document all required env vars
DEVELOPMENT vs PRODUCTION
βββ Use compose profiles or override files
βββ Dev: bind mounts for hot reload, debug ports exposed
βββ Prod: named volumes, no debug ports, restart: unless-stopped
βββ docker-compose.override.yml for dev-only config
3. Generate compose file - Output docker-compose.yml with healthchecks, networks, volumes - Generate .env.example with all required variables documented - Add dev/prod profile annotations
/docker:security β Container Security Audit
1. Dockerfile audit
| Check | Severity | Fix |
|-------|----------|-----|
| Running as root | Critical | Add USER nonroot after creating user |
| Using :latest tag | High | Pin to specific version |
| Secrets in ENV/ARG | Critical | Use BuildKit secrets: --mount=type=secret |
| COPY with broad glob | Medium | Use specific paths, add .dockerignore |
| Unnecessary EXPOSE | Low | Only expose ports the app uses |
| No HEALTHCHECK | Medium | Add HEALTHCHECK with appropriate interval |
| Privileged instructions | High | Avoid --privileged, drop capabilities |
| Package manager cache retained | Low | Clean in same RUN layer |
2. Runtime security checks
| Check | Severity | Fix |
|-------|----------|-----|
| Container running as root | Critical | Set user in Dockerfile or compose |
| Writable root filesystem | Medium | Use read_only: true in compose |
| All capabilities retained | High | Drop all, add only needed: cap_drop: [ALL] |
| No resource limits | Medium | Set mem_limit and cpus |
| Host network mode | High | Use bridge or custom network |
| Sensitive mounts | Critical | Never mount /etc, /var/run/docker.sock in prod |
| No log driver configured | Low | Set logging: with size limits |
3. Generate security report
SECURITY AUDIT β [Dockerfile/Image name]
Date: [timestamp] CRITICAL: [count]
HIGH: [count]
MEDIUM: [count]
LOW: [count]
[Detailed findings with fix recommendations]
Tooling
scripts/dockerfile_analyzer.py
CLI utility for static analysis of Dockerfiles.
Features:
Usage:
# Analyze a Dockerfile
python3 scripts/dockerfile_analyzer.py DockerfileJSON output
python3 scripts/dockerfile_analyzer.py Dockerfile --output jsonAnalyze with security focus
python3 scripts/dockerfile_analyzer.py Dockerfile --securityCheck a specific directory
python3 scripts/dockerfile_analyzer.py path/to/Dockerfile
scripts/compose_validator.py
CLI utility for validating docker-compose files.
Features:
Usage:
# Validate a compose file
python3 scripts/compose_validator.py docker-compose.ymlJSON output
python3 scripts/compose_validator.py docker-compose.yml --output jsonStrict mode (fail on warnings)
python3 scripts/compose_validator.py docker-compose.yml --strict
Multi-Stage Build Patterns
Pattern 1: Compiled Language (Go, Rust, C++)
# Build stage
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /app/server ./cmd/serverRuntime stage
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]
Pattern 2: Node.js / TypeScript
# Dependencies stage
FROM node:20-alpine AS deps
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --production=falseBuild stage
FROM deps AS builder
COPY . .
RUN npm run buildRuntime stage
FROM node:20-alpine
WORKDIR /app
RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001
COPY --from=builder /app/dist ./dist
COPY --from=deps /app/node_modules ./node_modules
COPY package.json ./
USER appuser
EXPOSE 3000
CMD ["node", "dist/index.js"]
Pattern 3: Python
# Build stage
FROM python:3.12-slim AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --prefix=/install -r requirements.txtRuntime stage
FROM python:3.12-slim
WORKDIR /app
RUN groupadd -r appgroup && useradd -r -g appgroup appuser
COPY --from=builder /install /usr/local
COPY . .
USER appuser
EXPOSE 8000
CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]
Base Image Decision Tree
Is it a compiled binary (Go, Rust, C)?
βββ Yes β distroless/static or scratch
βββ No
βββ Need a shell for debugging?
β βββ Yes β alpine variant (e.g., node:20-alpine)
β βββ No β distroless variant
βββ Need glibc (not musl)?
β βββ Yes β slim variant (e.g., python:3.12-slim)
β βββ No β alpine variant
βββ Need specific OS packages?
βββ Many β debian-slim
βββ Few β alpine + apk add
Proactive Triggers
Flag these without being asked:
.git, node_modules, __pycache__, .env.rm -rf /var/lib/apt/lists/* in the same RUN.Installation
One-liner (any tool)
git clone https://github.com/alirezarezvani/claude-skills.git
cp -r claude-skills/engineering/docker-development ~/.claude/skills/
Multi-tool install
./scripts/convert.sh --skill docker-development --tool codex|gemini|cursor|windsurf|openclaw
OpenClaw
clawhub install cs-docker-development