Docker Best Practices

1. Small Images

Use alpine or distroless as the base.

2. Multi-Stage Builds

FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
CMD ["node", "dist/index.js"]

3. Non-Root User

Never run the app as root.

4. Use .dockerignore

Prevent copying node_modules and .git.

5. Pin Versions

Don't use latest in production.

6. Security Scanning

Use trivy or grype to find vulnerabilities.

Smaller images = faster deploys and a smaller attack surface.