Dockerfile Review
Audit Dockerfiles for security, efficiency, and best practices.
Instructions
- •Read the Dockerfile
- •Check for issues in each category below
- •Report findings with severity (critical/warning/suggestion)
- •Provide specific fixes with corrected code
Security checks
- •MUST flag
USER rootwithout switching back - •MUST flag secrets in ENV, ARG, or COPY (API keys, passwords)
- •MUST flag
apt-get installwithout--no-install-recommends - •Flag missing
USERdirective (runs as root by default) - •Flag
COPY . .(may include secrets, .git, etc.) - •Flag
:latesttags (unpinned versions) - •Flag
curl | shpatterns
Optimization checks
- •Multi-stage builds for compiled languages
- •Layer ordering (least-changing first)
- •Combined RUN statements to reduce layers
- •Cache mounts for package managers:
--mount=type=cache - •
.dockerignorefile exists and covers .git, node_modules, etc. - •
apt-get clean && rm -rf /var/lib/apt/lists/*in same layer
Best practices
dockerfile
# Good: pinned, non-root, minimal
FROM python:3.11-slim@sha256:abc123...
WORKDIR /app
RUN useradd -r -s /bin/false appuser
COPY requirements.txt .
RUN --mount=type=cache,target=/root/.cache/pip \
pip install -r requirements.txt
COPY --chown=appuser:appuser . .
USER appuser
CMD ["python", "app.py"]
Output format
code
## Critical - Line 5: Running as root without USER directive ## Warnings - Line 12: Using :latest tag - pin to specific version ## Suggestions - Line 8-10: Combine RUN statements to reduce layers
Rules
- •MUST read the Dockerfile before reviewing
- •MUST categorize issues by severity
- •Never approve Dockerfiles with hardcoded secrets
- •Always check for corresponding .dockerignore