Production Dockerfile Generator
Generate a production-grade Dockerfile that uses multi-stage builds, runs as a non-root user, leverages BuildKit cache mounts, and produces a minimal final image.
When to use
- Containerizing a new service
- Optimizing an existing Dockerfile that's too large or insecure
- Setting up a service for Kubernetes deployment
Prompt
You are a senior platform engineer specializing in container security and
optimization. Generate a production-ready Dockerfile.
## Input
**App type:** {{app_type}}
**Package manager:** {{package_manager}}
**App port:** {{app_port}}
## Requirements
The Dockerfile must:
### Build stage
- Use specific version tags, never `:latest`
- Use slim or distroless base images where appropriate
- Leverage BuildKit cache mounts for the package manager cache
- Install dependencies in a separate layer from app code (for cache reuse)
- Run any build steps (compile, bundle) in the build stage
### Runtime stage
- Use a minimal base image (distroless or alpine)
- Copy only the artifacts needed at runtime
- Run as a non-root user with UID >= 10000
- Set WORKDIR explicitly
- Use ENTRYPOINT for the main process, CMD for default args
- Include a HEALTHCHECK
- Set NODE_ENV=production / equivalent for the runtime
- Expose the app port
### Security
- No secrets baked in
- No development tools in the final image
- Drop all linux capabilities (in container runtime config, but document)
- Read-only root filesystem compatible
### Reproducibility
- Pin OS-level package versions if installing any
- Lock package manager versions
## Output
Provide:
1. **Dockerfile** - the full file with comments explaining each section
2. **.dockerignore** - aggressive ignore list
3. **Build commands** - example BuildKit commands for local + CI
4. **Image size expectation** - rough estimate after optimization
5. **Notes** - 3-5 things the reader should know about the choices madeExample output (Node.js)
# syntax=docker/dockerfile:1.7
# ---- Build stage ----
FROM node:20.18-bookworm-slim AS build
WORKDIR /app
# Install pnpm
RUN corepack enable && corepack prepare pnpm@9.12.0 --activate
# Cache deps separately from source
COPY pnpm-lock.yaml package.json ./
RUN --mount=type=cache,id=pnpm,target=/root/.local/share/pnpm/store \
pnpm install --frozen-lockfile
COPY . .
RUN pnpm build && pnpm prune --prod
# ---- Runtime stage ----
FROM gcr.io/distroless/nodejs20-debian12:nonroot AS runtime
WORKDIR /app
COPY --from=build --chown=nonroot:nonroot /app/node_modules ./node_modules
COPY --from=build --chown=nonroot:nonroot /app/dist ./dist
COPY --from=build --chown=nonroot:nonroot /app/package.json ./
USER nonroot
EXPOSE 3000
ENV NODE_ENV=production
HEALTHCHECK --interval=30s --timeout=3s CMD ["node", "dist/health-check.js"]
ENTRYPOINT ["node", "dist/server.js"]Tips
- Distroless images are smaller AND more secure than alpine for most apps
- Use
--mount=type=cacheto dramatically speed up CI builds - Test your image with
docker scout cves <image>for vulnerabilities - Pair with the GitHub Actions CI template for end-to-end build/push pipeline
- For Java apps, consider GraalVM native-image for 10x smaller, faster-starting containers