A guide to keep Docker images lean, secure, and reproducible.

📋 Quick Start Checklist

• [ ] Build with BuildKit (DOCKER_BUILDKIT=1)
• [ ] .dockerignore updated (no secrets, no giant folders)
• [ ] Dependencies pinned (lockfiles/requirements)
• [ ] Multi-stage build used
• [ ] Non-root user configured
• [ ] HEALTHCHECK defined
• [ ] OCI labels set (version, commit SHA, source)
• [ ] CI tags: latest, vX.Y.Z, sha-abcdef
• [ ] Vulnerability scan & SBOM generated
• [ ] Runtime hardened (-read-only, -cap-drop=ALL, resource limits)
• [ ] Logs to stdout/stderr
• [ ] Rollback plan ready (previous tag exists)

1) Keep Images Small

💡 Why: Smaller images build faster, ship faster, and have fewer vulnerabilities.

How

• Use slim bases (python:3.11-slim, alpine when compatible)